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en . Abstract 

^^ \ Many Embedded Systems are indeed Software Based Control Sys- 

C"^ ' tems (SBCSs), that is control systems whose controller consists of 

control software rmming on a microcontroller device. This motivates 
investigation on Formal Model Based Design approaches for automatic 
synthesis of SBCS control software. We present an algorithm, along 
with a tool QKS implementing it, that from a formal model (as a Dis- 
crete Time Linear Hybrid System, DTLHS) of the controlled system 
C^ I {plant), implementation specifications (that is, number of bits in the 

Analog-to-Digital, AD, conversion) and System Level Formal Specifica- 
tions (that is, safety and liveness requirements for the closed loop sys- 
tem) returns correct-by-construction control software that has a Worst 
Case Execution Time (WCET) linear in the number of AD bits and 
meets the given specifications. We show feasibility of our approach by 
presenting experimental results on using it to synthesize control soft- 
ware for a buck DC-DC converter, a widely used mixed-mode analog 
circuit. 
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1. Every T seconds {sampling time) do 

2. Read AD conversion x of plant sensor outputs x 

3. If {x is not in the Controllable_Region) 

4. Then // Exception (Fault Detected): 

5. Start Fault Isolation and Recovery (FDIR) 

6. Else // Nominal case: 

7. Compute (Control_Law) command u from x 

8. Send DA conversion u of u to plant actuators 



Figure 1: A typical control loop skeleton 



1 Introduction 

Many Embedded Systems are indeed Software Based Control Systems (SBCSs). 
An SBCS consists of two main subsystems: the controller and the plant. Typ- 
ically, the plant is a physical system consisting, for example, of mechanical or 
electrical devices whereas the controller consists of control software running 
on a microcontroller. In an endless loop, the controller reads sensor outputs 
from the plant and sends commands to plant actuators in order to guaran- 
tee that the closed loop system (that is, the system consisting of both plant 
and controller) meets given safety and liveness specifications {System Level 
Formal Specifications) . 

Software generation from models and formal specifications forms the core 
of Model Based Design of embedded software |24| . This approach is par- 
ticularly interesting for SBCSs since in such a case system level (formal) 
specifications are much easier to define than the control software behavior 
itself. 

Fig. [1] shows the typical control loop skeleton for an SBCS. Measures 
from plant sensors go through an AD {analog-to- digital) conversion {quan- 
tization) before being processed (line [2]) and commands from the control 
software go through a DA {digital-to- analog) conversion before being sent to 
plant actuators (line[8j). Basically, the control software design problem for 
SBCSs consists in designing software implementing functions Control_Law 
and Controllable_Region computing, respectively, the command to be sent 
to the plant (line [7]) and the set of states on which the Control_Law function 
works correctly {Fault Detection in line [3]) . 



For SBCSs system level specifications are typically given with respect to 
the desired behaviour of the closed loop system. The control software (that 
is, Control_Law and Controllable_Region) is designed using a separation- 
of-concerns approach. That is, Control Engineering techniques are used to 
design, from the closed loop system level specifications, functional specifi- 
cations {control law) for the control software whereas Software Engineer- 
ing techniques are used to design control software implementing the given 
functional specifications. Such a separation-of-concerns approach has several 
drawbacks. 

First, usually control engineering techniques do not yield a formally veri- 
fied specification for the control law or controllable region when quantization 
is taken into account. This is particularly the case when the plant has to 
be modelled as a Hybrid System [6l [H [191 E] (that is a system with con- 
tinuous as well as discrete state changes). As a result, even if the control 
software meets its functional specifications there is no formal guarantee that 
system level specifications are met since quantization effects are not formally 
accounted for. 

Second, issues concerning computational resources, such as control soft- 
ware Worst Case Execution Time (WCET), can only be considered very late 
in the SBCS design activity, namely once the software has been designed. As 
a result, the control software may have a WCET greater than the sampling 
time (line [T] in Fig. [T]). This invalidates the schedulability analysis (typi- 
cally carried out before the control software is completed) and may trigger 
redesign of the software or even of its functional specifications (in order to 
simplify its design). 

Last, but not least, the classical separation-of-concerns approach does 
not effectively support design space exploration for the control software. In 
fact, although in general there will be many functional specifications for the 
control software that will allow meeting the given system level specifications, 
the software engineer only gets one to play with. This overconstraints a 
priori the design space for the control software implementation preventing, 
for example, effective performance trading (for example, between WCET, 
RAM usage, CPU power consumption, etc.). 

The previous considerations motivate research on methods and tools that 
from the plant model (as a hybrid system), from formal specifications for the 
closed loop system behaviour {System Level Formal Specifications) and from 
implementation specifications (that is, number of bits used in the quantiza- 
tion process) can generate correct-by-construction control software satisfying 



the given specifications. This is the focus of the present paper. 

1.1 Our Main Contributions 

We model the controlled system (plant) as a Discrete Time Linear Hybrid 
System (DTLHS), that is a discrete time hybrid system whose dynamics is 
defined as a linear predicate (i.e., a boolean combination of linear constraints) 
on its variables. We model system level safety as well as liveness specifications 
as set of states defined, in turn, as linear predicates. In our setting, as always 
in control problems, liveness constraints define the set of states that any 
evolution of the closed loop system should eventually reach {goal states). 
Using an approach similar to the one in |2^ 123] it is possible to prove that 
both, existence of a controller for a DTLHS and existence of a quantized 
controller for a DTLHS are undecidable problems. Accordingly, we can only 
hope for semi-algorithms. 

We present constructive algorithms defining, respectively, a sufficient and 
a necessary condition for existence of a solution to our control software syn- 
thesis problem. Given a DTLHS model "H for the plant, a quantization 
schema (i.e. how many bits we use for AD conversion) and system level 
formal specifications, our algorithms will return 1 if a solution exists (respec- 
tively, does not exist) and when unable to decide (unavoidable case since our 
problem is undecidable). Furthermore, when our sufficient condition is sat- 
isfied, we return a pair of C functions Control_Law, Controllable_Region 
such that: function Control_Law implements a {near time-optimal) Quan- 
tized Feedback Controller (QFC) for "H meeting the given system level formal 
specifications and function Controllable_Region computes the set of states 
on which Control_Law is guaranteed to work correctly {controllable region). 
Both functions have a Worst Case Execution Time (WCET) guaranteed to 
be linear in the number of bits of the state quantization schema. Further- 
more, function Control_Law is robust, that is, it meets the given closed loop 
requirements notwithstanding (nondeterministic) disturbances such as vari- 
ations in the plant parameters. 

We implemented our algorithm on top of the CUDD package and of the 
GLPK Mixed Integer Linear Programming (MILP) solver and present exper- 
imental results on using our tool QKS to synthesize robust control software 
for a widely used mixed- mode analog circuit: the buck DC-DC converter 
(e.g. see |1^). This is an interesting and challenging example (e.g., see [16] 
and Sect. 1 of |3U) ) for automatic synthesis of correct-by-construction control 



software from system level formal specifications. 

Our experimental results show that within about 40 hours of CPU time 
and within 100MB of RAM we can synthesize control software for a 10-bit 
quantized buck DC-DC converter. 

1.2 Related Work 

This paper is a journal version of [30] which is extended here by providing 
omitted proofs and algorithms. 

Control software synthesis for continuous time linear systems (no switch- 
ing) has been studied in [M] (and citations thereof), and in jTU] (for piecewise 
afiine systems). Such works do not account for state feedback quantization. 
Thus (formal) system level correctness of the generated software is not ad- 
dressed. Of course Quantized Feedback Control has been widely studied in 
control engineering (e.g. see [H]). However such research does not address 
hybrid systems (our case) and focuses on control law design rather than 
on control software synthesis (our goal). Furthermore, all control engineer- 
ing approaches model quantization errors as statistical noise. As a result, 
correctness of the control law holds in a probabilistic sense. Here instead, 
we model quantization errors as nondeterministic [malicious) disturbances. 
This guarantees system level correctness of the generated control software 
(not just that of the control law) with respect to any possible sequence of 
quantization errors. 

When the plant model is a Timed Automaton (TA) j6] the reachability 
and control law synthesis problems have both been widely studied. Examples 
are in [27t [T3| |29| [^ and citations thereof. When the plant model is a Linear 
Hybrid Automaton (LHA) [H [3] reachability and existence of a control law 
are both undecidable problems [221 123] ■ This, of course, has not prevented 
devising effective (semi) algorithms for such problems. Examples are in [5l 
[inilTTlIll]). Much in the same spirit here we give a necessary condition along 
with a constructive sufficient condition for control software existence. Note 
that none of the above mentioned papers address control software synthesis 
since they all assume exact (i.e. real valued) state measures (that is, state 
feedback quantization is not considered). 

Finite horizon control of Piecewise Affine Discrete Time Hybrid Systems 
(PWA-DTHS) has been studied using a MILP based approach. See, for ex- 
ample, [11]. Explicit finite horizon control synthesis algorithms for discrete 
time (possibly non-linear) hybrid systems have been studied in [IS] and ci- 



tations thereof. Such approaches cannot be directly used in our context 
since they address synthesis of finite horizon controllers and do not account 
for quantization. Correct-by-construction software synthesis in a finite state 
setting has been studied, for example, in [HI HSj HH [H]. Such approaches 
cannot be directly used in our context since they cannot handle continuous 
state variables. 

Quantization can be seen as a sort of abstraction, which has been widely 
studied in a hybrid system formal verification context (e.g., see |H[2])- Note 
however that in a verification context abstractions are designed so as to ease 
the verification task whereas in our setting quantization is a design require- 
ment since it models a hardware component (AD converter) which is part 
of the specification of the control software synthesis problem. Indeed, in our 
setting, we have to design a controller notwithstanding the nondeterminism 
stemming from the quantization process. As a result, the techniques used to 
devise clever abstractions in a verification setting cannot be directly used in 
our synthesis setting where quantization is given. 

Summing up, to the best of our knowledge, no previously published result 
is available about automatic generation of correct-by-construction control 
software from a DTLHS model of the plant, system level formal specifications 
and implementation specifications (that is, number of bits in AD conversion). 

2 Background 

We denote with [n] an initial segment {1, . . . , n} of the natural numbers. We 
denote with X = [xi, . . . ,x„] a finite sequence (list) of variables. By abuse 
of language we may regard sequences as sets and we use U to denote list 
concatenation. Each variable x ranges on a known (bounded or unbounded) 
interval V^ either of the reals or of the integers (discrete variables). We 
denote with Vx the set Hxex -^a;- '^° clarify that a variable x is continuous 
(i.e. real valued) we may write x^. Similarly, to clarify that a variable x is 
discrete (i.e. integer valued) we may write x"^. Boolean variables are discrete 
variables ranging on the set B = {0, 1}. We may write x^ to denote a boolean 
variable. Analogously X"^ (X'^, X^) denotes the sequence of real (integer, 
boolean) variables in X. Unless otherwise stated, we suppose Vx^ = M'^'^' 
and Vxd = l}'^ '. Finally, if x is a boolean variable we write x for (1 — x). 



2.1 Predicates 

A linear expression over a list of variables X is a linear combination of vari- 
ables in X with rational coefficients. A linear constraint over X (or simply 
a constraint) is an expression of the form L{X) < b, where L{X) is a linear 
expression over X and 6 is a rational constant. In the following, we also write 
L{X) > b for -L(X) < -b. 

Predicates are inductively defined as follows. A constraint C{X) over a list 
of variables X is a predicate over X. If A{X) and B{X) are predicates over 
X, then {A{X) A B{X)) and {A{X) V 5(X)) are predicates over X. Paren- 
theses may be omitted, assuming usual associativity and precedence rules 
of logical operators. A conjunctive predicate is a conjunction of constraints. 
For conjunctive predicates we will also write: L{X) = b for {{L{X) < b) A 
{L{X) > b)) and a<x<6forx>aAa;<6, being x E X. 

A valuation over a list of variables X is a function v that maps each 
variable x G X to a value v{x) G V^. Given a valuation v, we denote with 
X* G Vx the sequence of values [v{xi), . . . , u(x„)]. By abuse of language, we 
call valuation also the sequence of values X*. A satisfying assignment to a 
predicate P over X is a valuation X* such that P(X*) holds. If a satisfying 
assignment to a predicate P over X exists, we say that P is feasible. Abusing 
notation, we may denote with P the set of satisfying assignments to the 
predicate -P(X). Two predicates P and Q over X are equivalent, notation 
P = Q, if they have the same set of satisfying assignments. 

A variable x G X is said to be bounded in P if there exist a, b E V^ such 
that -P(X) implies a < x < b. A predicate P is bounded if all its variables 
are bounded. 

Given a constraint C(X) and a fresh boolean variable (guard) y ^ X, 
the guarded constraint y — )■ C(X) (if y then C{X)) denotes the predicate 
((y = 0) VC(X)). Similarly, we use y -> C(X) (if not y then C(X)) to denote 
the predicate {{y = 1) VC(X)). A guarded predicate is a conjunction of either 
constraints or guarded constraints. When a guarded predicate is bounded, it 
can be easily transformed into a (bounded) conjunctive predicate, as stated 
by the following proposition (details are in App. lA.ip . 

Proposition 1. For each bounded guarded predicate P{X), it is possible to 
compute an equivalent bounded conjunctive predicate Q{X). 



2.2 Mixed Integer Linear Programming 

A Mixed Integer Linear Programming (MILP) problem with decision vari- 
ables X is a tuple (max, J{X), A{X)) where: X is a list of variables, J{X) 
{objective function) is a linear expression on X, and A{X) (constraints) is a 
conjunctive predicate on X. A solution to (max, J{X), A{X)) is a valuation 
X* such that A{X*) and VZ {A{Z) -^ {J{Z) < J(X*))). J(X*) is the opti- 
mal value of the MILP problem. A feasibility problem is a MILP problem of 
the form (max, 0, yl(X)). We write also A{X) for (max, 0, A(X)). We write 
{mm,J{X),A{X)) for (max, -J(X), A(X)). 

In algorithm outlines, MILP solver invocations are denoted by function 
feasible {A{X)) that returns TRUE if A{X) is feasible and False otherwise, 
and function optimaiVaiue(max, J{X), A{X)) that returns either the opti- 
mal value of the MILP problem (max, J{X), A{X)) or +oo if such MILP 
problem is unbounded or unfeasible. 

2.3 Labeled Transition Systems 

A Labeled Transition System (LTS) is a tuple S = {S, A, T) where S* is a 
(possibly infinite) set of states, A is a (possibly infinite) set of actions, and T 
: S X A X S ^ M is the transition relation of S. We say that T (and S) is 
deterministic if T(s, a, s') A T(s, a, s") implies s' = s", and nondeterministic 
otherwisqj. Let s G S and a E A. We denote with Adm(iS, s) the set of 
actions admissible in s, that is Adm(i5, s) = {a E A \ 3s'T{s,a,s')} and 
with Img(iS, s, a) the set of next states from s via a, that is Img(iS, s, a) = 
{s' E S \ T{s,a,s')}. We call transition a triple {s,a,s') E S x A x S, and 
self loop a transition {s,a,s). A transition {s,a,s') [self loop (s, a, s)] is a 
transition [self loop] of S iff T(s, a, s') [T(s, a, s)]. 

A run or path for an LTS iS is a sequence vr = sq, ctoi Si, ai, S2, 02, . . . of 
states St and actions a^ such that Vt > T(si, a^, Sj+i). The length |7r| of a 
finite run tt is the number of actions in vr. We denote with tt^^^ (t) the t-th 
state element of tt, and with 7r'^^^(t) the t-th action element of n. That is 
7r(^)(t) =Sf, and7r(^)(t) = a*. 

Given two LTSs Si = {S, A, Ti) and S2 = {S, A, T2), we say that Si 
refines S2 (notation Si ^ ^2) iff Ti{s, a, s') implies T2{s, a, s') for each state 



^Note that, with this definition, deterministic LTSs are not a special case of nondeter- 
ministic ones, as it usually is. 



s,s' & S and action a & A. The refinement relation is a partial order on 
LTSs. 



3 Discrete Time Linear Hybrid Systems 

In this section we introduce our class of Discrete Time Linear Hybrid Systems 
(DTLHS for short), together with the DTLHS representing the buck DC-DC 
converter on which our experiments will focus. 

Definition 1. A Discrete Time Linear Hybrid System is a tuple "H = (X, 
U, Y, N) where: 

• X = X^UX'^ is a finite sequence of real (X'') and discrete (X'^) present 
state variables. We denote with X' the sequence of next state variables 
obtained by decorating with ' all variables in X . 

• U = U^ U W^ is a finite sequence of input variables. 

• Y = Y^UV^ is a finite sequence of auxiliary variables. Auxiliary vari- 
ables are typically used to model modes (e.g., from switching elements 
such as diodes) or "local" variables. 

• N{X, U, Y, X') is a conjunctive predicate over X UUUY U X' defining 
the transition relation (^next statej of the system. N is deterministic 
if N{x,u,yi,x') A {x,u,y2,x") implies x' = x" , and nondeterministic 
otherwise. 

A DTLHS is bounded if predicate N is bounded. A DTLHS is determin- 
istic if N is deterministic. 

By Prop. [H any bounded guarded predicate can be transformed into 
a conjunctive predicate. For the sake of readability, we will use bounded 
guarded predicates to describe the transition relation of bounded DTLHSs. 
To this aim, we will also clarify which variables are boolean, and thus may 
be used as guards in guarded constraints. 

Note that DTLHSs can effectively model linear algebraic constraints in- 
volving both continuous as well as discrete variables. Therefore many em- 
bedded control systems may be modeled as DTLHSs. 



Example 1. Let x be a continuous variable, u be a boolean variable, and 
N{x^ u, x') = [n — 7- a;' = ax] A [n — )■ a;' = (5x\ be a guarded predicate with 
a = \ and 13 = 1. Then H = ({x}, {u}, 0, N) is a DTLHS. 

Note that % is deterministic. Adding nondeterminism to % allows us 
to address the problem of (bounded) variations in the DTLHS parameters. 
For example, variations in the parameter a can be modelled with a tolerance 
p G [0, 1] for a. This replaces N with: N^p'^ = [u — )■ x' < (1 + p)ax] A [n — )■ 
x' > il-p)ax] A [u^x' = I3x]. We have that n^P^ = {{x},{u}, 0, N^^^), for 
p E (0, 1], is a nondeterministic DTLHS. Note that, as expected, 'H^'^^ = "H. 

In the following definition, we give the semantics of DTLHSs in terms of 
LTSs. 

Definition 2. Let H = (X, U, Y, N) be a DTLHS. The dynamics ofH is 
defined by the Labeled Transition System LTS('H) = (T>x, T>u, N) where: N : 
T>x X T>u X Vx — ;■ B zs a function s. t. N{x, u,x') = 3 y E T>y N{x, m, y, x') . 
A state X for Ti is a state x for LTS('H) and a run (or pathj for Ti is a run 
forLTS{n) (Sect. fOI). 

Note that a DTLHS % is deterministic iff LTS(?/) is deterministic. 

Example 2. Let H = {{x} , {u} , , N) be the DTLHS of Ex. S Then a 
sequence ti is a run on T-L iff Ti^^\t) = vr('^)(0)|^, being i = '^j1qT^^^\j) 
(taking the summation on an empty set). 

3.1 Buck DC-DC Converter as a DTLHS 

The buck DC-DC converter (Fig. [2]) is a mixed-mode analog circuit con- 
verting the DC input voltage {Vi in Fig. [2]) to a desired DC output voltage 
{vo in Fig. [2]). As an example, buck DC-DC converters are used off-chip to 
scale down the typical laptop battery voltage (12-24) to the just few volts 
needed by the laptop processor (e.g. [IQ]) as well as on-chip to support Dy- 
namic Voltage and Frequency Scaling (DVFS) in multicore processors (e.g. 
[261 139]). Because of its widespread use, control schemas for buck DC-DC 
converters have been widely studied (e.g. see [261 [391 HOl SS]). The typical 
software based approach (e.g. see [lO]) is to control the switch u in Fig. [2] 
(typically implemented with a MOSFET) with a microcontroller. Designing 
the software to run on the microcontroller to properly actuate the switch is 
the control software design problem for the buck DC-DC converter in our 
context. 

10 



K; 



+Vu 



^L 



ri 



L 



A^ 



+vc^C 



+VD 



W 



^C 



IR 



re 



Figure 2: Buck DC-DC converter 



The circuit in Fig.[2]can be modeled as a DTLHS "H = (X, U, Y, N). The 
circuit state variables are ii and vq- However we can also use the pair i^, 
Vo as state variables in "H model since there is a linear relationship between 



iL, Vc and vq, namely: vq 



^^, p ir H ^sVc- Such considerations lead 

to use the following sets of variables to model Ti: X = X^ = [ii, vq], U = 
U^ = [u], Y = Y'-UY^ with Y'- = [tu, Vu, in, Vd] and Y^ = [q]. Note how H 
auxiliary variables Y stem from the constitutive equations of the switching 
elements (i.e. the switch u and the diode D in Fig. [2]). From a simple circuit 
analysis (e.g. see [28]) we have the following equations: 



Vo = a2,liL + 02,2^0 + a2,3^D 



(1) 
(2) 



where the coefficients Ojo depend on the circuit parameters R, r^, tq, L 



and C in the following way: ai i 
r T^\, a2,2 



"T) 0-1,2 



]_rrvR I 1 



L 
^2,3 



1 r.-R 



"T' '^1,3 



"T; '^2.1 



, T-» I r \ /-I \^ ^v y — I r> I r I ^ \^ ^y -1 — r i r> . U siug <x Qiscretje time 
model with sampling time T (writing x' for x(t + 1)) we have: 



iL = (1 + Tai^i)iL + Tai,2t'o + T'ai^gt^D (3) 

Vo = Ta2,iiL + (1 + Ta2,2)vo + Ta2,^VD- (4) 

The algebraic constraints stemming from the constitutive equations of 

the switching elements are the following: 

q ^ VD = Q (5) q ^ VD<Q (9) 

g ^ iD > (6) q ^ VD = Roffin (10) 

u ^ Vu = (7) u ^ Vu = Roffiu (11) 

«D = ii- iu (8) WD = Vu- Vi (12) 

The transition relation A^ of "H is given by the conjunction of the con- 
straints in Eqs. (13|)-(IT21). 
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4 Quantized Feedback Control 

In this section, we formally define the Quantized Feedback Control Problem 
for DTLHSs (Sect. 14.31) . To do this, first we give the definition of Feedback 
Control Problem for LTSs (Sect. O), and then for DTLHSs (Sect. 1421). 

4.1 Feedback Control Problem for LTSs 

We begin by extending to possibly infinite LTSs the definitions in |13| [H] 
for finite LTSs. In what follows, let S = {S,A,T) be an LTS, I,G C S be, 
respectively, the initial and goal regions. 

Definition 3. A controller for an LTS S is a function K : S x A ^ M 
such that Vs & S , "^a & A, if K{s,a) then a G Adm(i5, s). We denote with 
Dom(A') the set of states for which a control action is defined. Formally, 
Doia(K) = {s ^ S \ 3a K{s,a)}. S^^' denotes the closed loop system, that 
IS the LTS {S, A, T'^^^), where T^^^\s,a,s') = T{s,a,s') A K{s,a). An UTS 
control problem is a triple {S, /, G). 

Examples. Let S = {-1,0,1} and A = {0,1}. Let So be the LTS {S, A, To), 
where the transition relation To consists of the continuous arrows in Fig. 
and let Si be the LTS {S,A,Ti) where the transition relation Ti consists of 
all arrows in Fig. O Any function K : S x A ^ M is a controller for Si, 
since for all states s & S Adm(iSi, s) = A. On the other hand, a function K 
is a controller for Sq iffs^O^ K{s, 1) = 0. 

In the following we give formal definitions of strong and weak solutions 
to a control problem for an LTS. 

We call a path vr fullpath [8] if either it is infinite or its last state 7r^'^)(|7r|) 
has no successors (i.e. Adm(iS, 7r('^^(|7r|)) = 0). We denote with Path(i5, s, a) 
the set of fuUpaths of S starting in state s with action a, i.e. the set of 
fullpaths TT such that 7r('^)(0) = s and 7r(^)(0) = a. 

Given a path n in S, we define the measure J{S, G, tt) on paths as 
the distance of 7r*^'^)(0) to the goal on tt. That is, if there exists n > 
s.t. 7r(^)(n) G G, then J{S,G,tt) = mm{n \ n > A ir^^^n) G G}. 
Otherwise, J{S, G, vr) = +oo. We require n > since our systems are 
nonterminating and each controllable state (including a goal state) must 
have a path of positive length to a goal state. Taking sup = +oo 
and inf0 = — oo, the worst case distance (pessimistic view) of a state 
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s from the goal region G is Jstmngi<S , G , s) = snp{J^^\S,G,s,a) \ a G 
Adm(iS, s)}, where: J^^\S , G , s , a) = sup{J(iS, G, tt) | tt e Path(iS, s, a)}. 
The best case distance (optimistic view) of a state s from the goal re- 
gion G is J„es,i^{S , G , s) = sup{J^^\S,G,s,a) \ a E Adm(iS, s)}, where: 
J(^)(5, G, s, a) = inf{ J(5, G, tt) | tt G Path(5, s, a)}. 

Definition 4. Let V = {S, I , G) he an LTS control problem and K be a 
controller for S such that I C Dom(A'). 

K is a strong solution to V if for all s G Dom(i^), Jstrong('5^^'', G, s) is 
finite. K is a weak solution to V if for all s G Dom(K), Jwcak{<S^^\ G, s) is 
finite. 

An optimal strong [weak] solution to V is a strong [weak] solution 
K* to V such that for all strong [weak] solutions K to V , for all s G 

S we have: J,trong(5(^*\ G, s) < Jstrong(5(^), G, s) /J„eak(5(^*\G,s) < 
J„eak(5(^\G,s)/. 

Intuitively, a strong solution K takes a pessimistic view by requiring that 
for each initial state, all runs in the closed loop system S^^^ reach the goal, 
no matter nondeterministic outcomes. A weak solution K takes an optimistic 
view about nondeterminism: it just asks that for each action a enabled in a 
given state s, there exists at least a path in Fa,th{S^^\s,a) leading to the 
goal. Unless otherwise stated, we say solution for strong solution. 

Example 4. Let Sq,Si be the LTSs in Ex. O Let Vq = (iSo,/,G) and 
Vi = {Si,I,G) be two control problems, where I = { — 1,0, 1} and G = {0}. 
The controller K{s, a) = [s 7^ — ?■ a = 0] is a strong solution to the control 
problem Vq. Observe that K is not optimal. Indeed, let us consider K{s, a) = 
a = 0. Since K enables action 1 in state 0, we have that Jstrong('5o , G, 0) = 
2. Since K enables action only, the path tt s.t. 7i^^\t) = and 7i^^\t) = 

for allt > is the unique fullpath ofS^ starting from state 0, and therefore 

^strong ('-'0 ;G,0) = 1. 

The control problem Vi has no strong solution. As a matter of fact, to 
drive the system to the goal region {0}, any solution K must enable action 
in states —1 and 1: in such a case, however, we have that Jstrong('5| , G, 1) 
= Jstrong('5| ,G, — 1) = oo bccausc of the dotted self loops (1,0,1) and 
(-1,0,-1) o/Ti. 

Definition 5. The most general optimal strong [weak] solution to V (strong 
[weak] mgo in the following) is an optimal strong [weak] solution K toV such 
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Figure 3: LTSs Sq (continuous arrows) and Si (all arrows) 

that for all other optimal strong [weak] solutions K to V, for all s & S , for 
all a ^ A we have that K{s, a) — )■ K{s, a). 

The definition of most general optimal controller is well posed as stated 
by the following proposition (details are in App. IA.2I) . 

Proposition 2. An LTS control problem (5, 0, G) has always an unique 
strong [weak] mgo K* . Moreover, for all I C S , we have: 

• if I '^ Dom(/f*), then K* is the unique strong [weak] mgo for the 
control problem [S, I, G); 

• if I ^ Dom(i^*), then the control problem [S, I, G) has no strong [weak] 
solution. 

Our control synthesis algorithm (Alg.[T]in Sect. l6.1l) makes use of a variant 
of the symbolic (i.e. OBDD based) algorithm in jl^ for the computation of 
nigos (function strongCtr, line [3]), and a variant of the algorithm in jl3] to 
verify the existence of a weak solution (function existsWeakCtr , line [6]) . The 
proof of Prop. |5]is essentially also a correctness proof for function strongCtr. 
It can be easily adapted to prove the uniqueness of the weak most general 
optimal solution, and thus to prove the correctness of function existsWeakCtr 
(details are in App. lA.Sp . 



Example 5. Let Vq, Vi, K and K be as in Ex. ^ K is the weak mgo for Vi. 
K is the strong mgo for Vq. 

Remark 1. Note that if K is a strong solution to {S, I , G) and G C I 

(as is usually the case in control problems) then S^^^ is stable from I to G, 
that is each run in S^^^ starting from a state in I leads to a state in G. In 
fact, from Def. [7] we have that each state s E I reaches a state s' E G in a 
finite number of steps. Moreover, since G C I, we have that any state s E G 
reaches a state s' E G in a finite number of steps. Thus, any path starting 
in I in the closed loop system S^^'' touches G an infinite number of times. 
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4.2 Feedback Control Problem for DTLHSs 

A control problem for a DTLHS l-L is the LTS control problem induced by 
the dynamics of "H. For DTLHSs, we only consider control problems where 
/ and G can be represented as predicates over present state variables of "H. 

Definition 6. Given a DTLHS l-L = {X,U,Y, N) and predicates I and G 
over X , the DTLHS (feedback) control problem ("H, J, G) is the LTS con- 
trol problem {LTS{'H),I,G). Thus, a controller K : Vx x Vu — )■ B is 
a strong [weak] solution to ("H, /, G) iff it is a strong [weak] solution to 
{LTS{H)J,G). 

For DTLHS control problems, usually robust controllers are desired. That 
is, controllers that, notwithstanding nondeterminism in the plant (e.g. due 
to parameter variations, see Ex. [T]), drive the plant state to the goal region. 
For this reason we focus on strong solutions. 

Observe that the feedback controller for a DTLHS will only measure 
present state variables (e.g., capacitor voltage and inductor current in Sect. l3.1| l 
and will not measure auxiliary variables (e.g. diode state in Sect. 13. ip . 

Example 6. The typical goal of a controller for the buck DC-DC converter 
in Sect. \3.1\ is keeping the output voltage vq close enough to a given reference 
value Vy-ci- This leads to the control problem V = {%, I, G) where l-L is 
defined m Sect. \M, I = {\il\ < 2) A (0 < wq < 6.5), G = {\vo - Kcfl < 0) 
A (liil < 2), and 9 = 0.01 is the desired buck precision. 

4.3 Quantized Feedback Control Problem 

Software running on a microcontroller {control software in the following) 
cannot handle real values. For this reason real valued state feedback from 
plant sensors undergoes an Analog-to- Digital (AD) conversion before being 
sent to the control software. This process is called quantization (e.g. see 
|18| and citations thereof). A Digital-to- Analog (DA) conversion is needed 
to transform the control software digital output into real values to be sent 
to plant actuators. In the following, we formally define quantized solutions 
to a DTLHS feedback control problem. 

Definition 7. A quantization function 7 for a real interval I = [a, b] is a 
non- decreasing function 7 : [a, b] — )■ /, where I is a bounded integer interval 
[7(a), 7(6)] C Z. The quantization step 0/7, notation \\'y\\, is defined as 

sup{ Itf — 2;| \ w, z E I A 7(if ) = 7(2)}- 
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For ease of notation, we extend quantizations to integer intervals, by stip- 
ulating that in such a case the quantization function is the identity function 
(i.e. 7(x) = x). Note that, with this convention, the quantization step on an 
integer interval is always 0. 

Definition 8. Let U = (X, f/, Y, N) be a DTLHS, and letW = XUU. A 
quantization Q forT-L is a pair {A,r), where: 

• A is a predicate of form Aw^wiO'w ^ w < hw) with a^, hw G T>w (that is, 
A explicitly bounds each variable in W ). For each w G W , we define 
Aw = {v G Vw \ a^j < V < hw} as the admissible region for variable w. 
Moreover, we define Ay = Ylv&v ^'"' '^'''^^ ^ — ^ > '^^ ^^^ admissible 
region for variables in V. 

• r is a set of maps T = {7^ \ w & W and 7^ is a quantization function 
for Aw}. 

Let V = [wi, . . . ,Wk] and V = [vi,...,Vk] G Ay, being V C W. We 
write r(f) (or v) for the tuple [7^,1 (fi), . . . ,'Jwki'^k)] o-nd T~^{y) for the set 
{v G Ay I T{v) = v}. Finally, the quantization step ||r|| for T is defined as 

sup{ II7II I 7e r}. 

Note that F is univocally defined by its quantizations 7^ where w; is a 
real valued variable since discrete variables are not affected by the quanti- 
zation process. For ease of notation, in the following we will also consider 
quantizations for primed variables x' G X', by stipulating that 7^./ = 73,. 

Example 7. Let V be the DTLHS control problem defined in Ex. [3 Let us 
consider the quantization Q = {A, T), where A{x, u) = —2.5 < a; < 2.5 A < 
u < 1. A defines the admissible regions A^ = Ax = [—2.5,2.5] for X and 
Au = Au = {0, 1} for U . Let F = {72,., 7u}, with 7a;(a:) = round{x/2) (where 
round{x) = [xj + [2(x— [xJ)J is the usual rounding function) and'~fu{u) = u. 
Note that '^x{x) = —1 for all x G [2.5, —1], '~fxix) = for all x G (—1, 1) and 
7x{x) = 1 for all X G [1,2.5]. Thus, we have that T{Ax) = {—1,0,1}, 
T{Au) = {0,1} and\\T\\ = 1. 

Quantization, i.e. representing reals with integers, unavoidably intro- 
duces errors in reading real-valued plant sensors in the control software. We 
address this problem in the following way. First, we introduce the definition 
of e-solution. Essentially, we require that the controller drives the plant "near 
enough" (up to a given error e) to the goal region G. To this end, we define 
the e-relaxation of a set in M" x Z"^. 
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Definition 9. Let e be a nonnegative real number, W C M" x Z"*. The e- 
relaxation of W is the set (hall of radius e) Bs{W) = {{zi, . . . Zn, qi-, ■ ■ ■ Qm) 
\3{xi,...,Xn,qi,...qm) G W and\/i e {1,. . .n} \zi- Xi\ <e}. 

Definition 10. Let V = {T-L, I, G) be a DTLHS control problem and let e > 
be a real number. A strong [weak] e-solution to V is a strong [weak] solution 
to the LTS control problem {LTS{'H),I,Bs{G)). 

Example 8. Let "H be the DTLHS described in Ex. Ui We consider the 
control problem defined by the initial region I = [—2.5, 2.5] and the goal 
region G = {0} (represented by the predicate x = 0). The DTLHS control 
problem V = ("H, /, G) has no solution (because of the Zeno phenomenon), 
but for all e > it has the e-solution K such that Vx G /. K{x^ 0). 

Second, we introduce the definition of quantized solution to a DTLHS 
control problem for a given quantization Q = [A, T). Essentially, a quantized 
solution models the fact that in an SBCS control decisions are taken by the 
control software by just looking at quantized state values. Despite this, 
a quantized solution guarantees that each DTLHS initial state reaches a 
DTLHS goal state (up to an error at most ||r||). 

Definition 11. Let U = {X, U, Y, N) be a DTLHS, Q = (A, T) be a quanti- 
zation for Ti andV = ("H, /, G) be a DTLHS control problem. A Q Quantized 
Feedback Control (QFC) strong [weak] solution to V is a strong [weak] \\T\\- 
solution K : Vx x Vu — )■ B to P such that K{x, u) = if {x, u) ^ Ax x Au, 
and otherwise K{x,u) = k{T{x),T{u)) where K : T{Ax) x V{Au) -^ B. 

Note that by Def. [TTl a necessary condition for the existence of a Q QFC 
(strong as well as weak) solution is that G, / C Ax- This is indeed the case in 
real-world systems and in all our examples. Furthermore, note that a Q QFC 
solution to a DTLHS control problem does not work outside the admissible 
region defined by Q. This models the fact that controllers for real-world 
systems must maintain the plant inside given bounds (such requirements are 
part of the safety specifications). In the following, we will define Q QFC 
solutions by only specifying their behaviour inside the admissible region. 

Example 9. Let V be the DTLHS control problem defined in Ex. and Q = 

[A, r) be the quantization defined in Ex. Let K be defined by K{x, d) = 
[£ 7^ — )■ n = 0]. For any e > 0, the quantized controller K{x,u) = 
K{r{x),r{u)) is an e-solution to V, and hence it is a Q QFC solution. 
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Along the same lines of similar undecidability proofs |23| . it is possibile 
to show that existence of a Q QFC solution to a DTLHS control problem 
{DTLHS quantized control problem) is undecidable (details are in App. IA.4p . 

Theorem 3. The DTLHS quantized control problem is undecidable. 



5 Control Abstraction 

A quantization naturally induces an abstraction of a DTLHS. Motivated by 
finding QFC solutions in the abstract model, in this paper we introduce a 
novel notion of abstraction, namely control abstraction. 

Control abstraction (Def. [T3|) models how a DTLHS Ti is seen from the 
control software after AD/DA conversions. Since QFC control rests on AD 
conversion we must be careful not to drive the plant outside the bounds in 
which AD conversion works correctly. This leads to the definition of admissi- 
ble action (Def. [T2|) . Intuitively, an action is admissible in a state if it never 
drives the system outside of its admissible region. 

Definition 12. Let H = {X,U,Y,N) be a DTLHS and Q = {A,T) be a 
quantization for "H. 

An action u G Au is A-admissible in s & Ax if for all s' , (3y G 
Ay N{s,u,y,s')) implies s' G Ax- 

An action u G T{Ajj) is Q-admissible in s & T{Ax) if for all s G r^^(s), 
u G T~^{u), u is A-admissible for s in Ti. 

Example 10. Let "H be the DTLHS defined in Ex. U\ and Q be the quan- 
tization defined in Ex. [3 Then the action u = 1 is not A-admissible in 
the state s = 2 since we have A^(2, 1,3), and s' = 3 is outside the admis- 
sible region A^. As a consequence, quantization the action d = 1 is not 
Q-admissible in the state s = 1, since 2 G r^-'^(l). Analogously, u = 1 is 
not A-admissible in s = —2 since we have N{—2, 1, —3). Thus u = 1 is not 
Q-admissible in s = —1, since —2 G r~-^(— 1). It is easy to see that no other 
u G r{Au),s G r{Ax) exist s.t. u is not Q-admissible in s. 

Definition 13. Let U = {X,U,Y,N) be a DTLHS and Q = (A,T) be a 
quantization for Ti. We say that the LTS T-i = {r{Ax), T{Au), N) is a Q 
control abstraction of % if its transition relation N satisfies the following 
conditions: 



1. Each abstract transition stems from a concrete transition. Formally: 
for all s,s' G T{Ax), u e V[Au), if N{s,u,s') then there exist s e 
r-^(s), u G r-^(n), s' e r-^(s'), y e Ay such that N{s,u,y,s'). 

2. Each concrete transition is faithfully represented by an abstract tran- 
sition, whenever it is not a self loop and its corresponding abstract 
action is Q-admissible. Formally: for all s, s' G Ax, u G Au such that 
3y.N{s,u,y,s'), ifT{u) is Q-admissible inV{s) andT{s) ^ r(s') then 

iv(r(.),rH,r(s')). 

3. If there is no upper bound to the length of concrete paths inside the 
counter-image of an abstract state then there is an abstract self loop. 
Formally: for all s G r{Ax), u G T{Au), if it exists an infinite run 
n inn such that Vt G N 7r("^)(t) G T'^is) and 7r(^)(t) G T'^iu) then 
N{s, u,s). A self loop {s, u, s) for which there exists an infinite run n in 
n such that Vt G N n^^^t) G T'^is) and 7r(^)(t) G T-'^{u) is said to be 
a non-eliminable self loop. A self loop {s, ii, s) such that [s, u, s) is not 
a non-eliminable self loop, but for which a concrete witness exists (i.e., 
there exist s,s' G r~"'^(s), u G r~^{u), y G Ay such that N{s,u,y,s')) 
is said to be an eliniinable self loop. 

We say that H is a control abstraction ofHifHisaQ control abstrac- 
tion ofH for some quantization Q. We denote with Q{l-i^ Q) the set of all Q 
control abstractions ofH. 

Example 11. Let H be as in Ex. [I] and Q = {A,T) be as in Ex. Q 
control abstractions of "H are depicted in Fig. O Any Q control abstraction 
T-i of l-L has the form ({— 1, 0, 1}, {0, 1}, A^) where the set N of transitions 
always contains at least all continuous arrows in the automaton depicted 
in Fig. and some dotted arrows. By condition in Def. [73 self loops 
(0, 0, 0) and (0, 1, 0) are non-eliminable, thus they must belong to all Q control 
abstractions. In fact all paths starting from will remain in forever. All 
other self loops are eliminable. Note that, despite T-L being deterministic, all 
Q control abstractions ofH are nondeterministic. 

Along the same lines of similar undecidability proofs |231 E], it is possibile 
to show that we cannot algoritmically state if a self loop is eliminable or 
non-eliminable (details are in App. lA.Sp . 

Proposition 4. Given a DTLHS % and a quantization Q, it is undecidable 
to determine if a self loop is non-eliminable. 
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Note that if in Def. [T3]we drop condition 12] and the guard T{s) 7^ r(s') in 
condition HI then we essentially get the usual definition of abstraction (e.g. 
see f2] and citations thereof). As a result, any abstraction is also a control 
abstraction whereas a control abstraction in general is not an abstraction 
since some self loops or some non admissible actions may be missing. 

In the following, we will deal with two types of control abstractions, 
namely full and admissible control abstractions, which are defined as follows. 

Definition 14. Let H = {X,U,Y,N) be a DTLHS and Q = {A,T) be a 
quantization for Ti . A Q control abstraction H = {T{Ax), T{Au), N) ofH 
is an admissible Q control abstraction iff, for all s G r{Ax),u G r{Au) s.t. 
u G Adm(?i,s).- 

1. u is Q-admissible in s, i.e. each abstract transition contains an admis- 
sible action; 

2. Ms G T-^{s) Vn G T~^{u) 3s' G Vx ^y G Vy N{s,u,y,s'), i.e. each 
concrete state in r~^{s) has a successor for all concrete actions in 
T-\u). 

We say H is a full Q control abstraction if it satisfies propertiesU\ andl^ 
of Def. ITS[ plus the following property (derived from property IE of Def. IT3\) : 
for all s,s' G Ax, u G Au such that 3y.N{s,u,y,s'), ifr{s) 7^ r(s') then 
N{T{s), TH, T{s')). 

We denote with Ca{'H, Q) [Cf{'H, Q)] the set of all admissible [full] Q 
control abstractions ofH. 

It is easy to show that, if all actions are Q-admissible in all states, then 
a full Q control abstraction is also an admissible Q control abstraction and 
viceversa. Otherwise, a Q control abstraction cannot be admissible and full 
at the same time. Moreover, if exactly one (abstract state, abstract action) 
pair s, u exists s.t. u is not Q-admissible in s, then any Q control abstraction 
is either admissible or full (i.e., full and admissible Q control abstractions 
are a partition of Q{'H^ Q)). Otherwise, there will be a Q control abstraction 
which is neither full nor admissible. Finally note that, if Hi, H2 are Q control 
abstractions of % s.t. l-ii is admissible and not full and 7^2 is full and not 
admissible, then H2 2 "Hi- 

Example 12. Let H be as in Ex.W, Q = (^, T) be as in Ex. Q and H = 

({ — 1, 0, 1}, {0, l},iV) be a control abstraction of Ti. For all Q admissible 
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control abstractions, A^(l,l,l) = A^(— 1,1,— 1) = 0, since action 1 is not 
Q-admissible neither in —1 nor in 1 (see Ex. [7^) . On the contrary, for all 
full Q control abstractions, A^(l,l,l) = A^(— 1, 1, — 1) = 1. Thus, a control 
abstraction s.t. N{1, 1, 1)©A^(— 1, 1, —1) (being © the logical XOR) is neither 
full nor admissible. 

By the definition of quantization, a control abstraction is a finite LTS. 
Moreover, two different admissible [full] Q control abstractions only differ 
in the number of self loops (Fact [5]) and the set of control abstractions is a 
finite lattice with respect to the LTS refinement relation (Fact [6]) (details are 
in App. IA.6p . This implies that (€(?{, Q), ^) has maximum and minimum. 



It is easy to show that the same holds for the lattice of admissible and full 
control abstractions. 

Fact 5. Let Mi = {S,A,Ti) and M2 = {S,A,T2) be two admissible Q 
control abstractions of a DTLHSTi, with Q quantization for Ti. Then'is, s' G 
S s. t. s j^ s' , Va e A[Ti{s,a,s') <^ T2{s,a,s')]. The same holds ifMi,M.2 
are full Q control abstractions. 

Fact 6. Given a DTLHSTi and a quantization Q, the set (€(?{, Q), ^) of Q 
control abstractions of Ti is a lattice. Moreover, the set of admissible [full] 
Q control abstractions ofH {CaiT-L, Q), ^) [{Cf((H, Q), ^)] is a lattice. 

Example 13. Let K be as in Ex.Ul Q = (^,r) be as in Ex. Q and H = 

({ — 1, 0, 1}, {0, 1}, A^) be a control abstraction ofH. The transition relation 
consisting of continuous arrows only w.r.t. Fig. (i.e. the LTS Sq in Ex. [^ 
is the minimum Q control abstraction ofH, whereas the transition relation 
consisting of all arrows (i.e. the LTS Si in Ex. {^ is the maximum Q control 
abstraction ofH. 

By Facts |5] and El the minimum Q control abstraction is the admissible 
Q control abstraction with non-eliminable self loops only. Analogously, the 
minimum full Q control abstraction is the full Q control abstraction with 
non-eliminable self loops only. Thus, the following proposition is a simple 
corollary of Prop. |H 

Proposition 7. Given a DTLHS H and a quantization Q, it is undecidable 
to state if: i) a Q control abstraction for "H is the minimum Q control ab- 
straction for Ti, and ii) a full Q control abstraction for "H is the minimum 
full Q control abstraction for Ti. 
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Figure 4: Q control abstraction without weak solutions (Ex. [1 



Finally, note that the minimum Q control abstraction is always an ad- 
missible Q control abstraction, whilest the maximum Q control abstraction 
is always a full Q control abstraction. 

5.1 Maximum and Minimum Control Abstractions 

Since finding a solution to a DTLHS quantized control problem is undecid- 
able (Theor. |3]), we cannot hope for a constructive sufficient and necessary 
condition for the existence of a Q QFC solution, for a given Q. Accordingly, 
our approach is able to determine (via a sufficient condition) if a Q QFC 
solution exists, and otherwise to state (via a necessary condition) if a Q 
QFC solution cannot exist. Note that both the sufficient and the necessary 
conditions might be false. In such a case our approach is not able to decide 
if a Q QFC solution exists or not. 

We base our sufficient condition on computing a (close to) minimum ad- 
missible Q control abstraction, and our necessary condition on computing a 
(close to) minimum full Q control abstraction. Theor. |8]gives the foundations 
for such an approach (details are in App. IA.6I) . 



Theorem 8. LefH he a DTLHS, Q = {A,r) be a quantization for T-L , and 
[T-i, I , G) be a control problem. 

1. IfH is an admissible Q control abstraction and K is a strong solution to 
the LTS control problem {'H, T{I), T{G)) then K{x, u) = K(r{x), T{u)) 
is a Q QFC strong solution to the DTLHS control problem ("H, J, G). 

2. 1/1^1,1^2 o,re two admissibile Q control abstractions ofH s.t. Hi C 7^2? 
and K is a strong solution to the LTS control problem {'H2, r(/), T{G)), 
then K is a strong solution to the LTS control problem {'Hi, T{I), T{G)). 
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5*. IfH is a full Q control abstraction and the LTS control problem {%, 
r(/), r(G')) does not have a weak solution then there exists no Q 
QFC (weak as well as strong) solution to the DTLHS control problem 

{n,i,G). 

4- If'Hi-,'H2 0,1"^ two full Q control abstractions of Ti s.t. Hi C 'H2, o-nd 
K is a weak solution to the LTS control problem {Tii, r(/), r[G)), then 
K is a weak solution to the LTS control problem (7^25 r(/), r(G)). 

Fig. |5] graphically represents a sketch of the correspondence between a 
concrete DTLHS Ti and its control abstractions Ti lattices (in the case that 
at least two non- admissible actions from given states exist). 

Example 14. Let V = (Ti, /, G) be as in Ex. and Q = {A, F) be as in Ex. 
[3. For all Q control abstractions "H in Ex. [71] (and thus for the admissible 
ones shown in Ex. \W\j not containing the eliminable self loops (—1,0,-1) 
and (1,0, 1), K{x^u) = [x 7^ — )■ m = 0] (see Ex. [^ is the strong mgo for 
{n, F(/), F(G)). Thus, K{x,u) = K{T{x),T{u)) is a Q QFC solution to V. 
Weak solutions to {%, F(/), F(G)) exist for all (full) Q control abstractions 
H. Note that existence of a Q QFC solution to a control problem depends 
on F. Let us consider the quantization Q' = {A,r'), where r'{w) = lw/2\. A 
full Q' control abstraction ofH is C = ({—2, —1,0, 1}, {0, 1}, A^), where the 
transition N is depicted in Fig. [7} (C, T'{I), r'{G)) has no weak solution 
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since there is no path to the goal T'{G) = {0} from states —2 and —1. Thus 
V has no Q! QFC solution. 

6 Quantized Controller Synthesis 

In this section, we present the quantized controller synthesis algorithm (func- 
tion qCtrSyn in Alg. [T]). Function qCtrSyn takes as input a DTLHS control 
problem V = ("H, /, G) and a quantization Q. Then, resting on Theor. [HI 
qCtrSyn computes an admissible Q control abstraction Ai in order to find a 
Q QFC strong solution to V (our sufficient condition), and a full Q control 
abstraction W to determine if such a solution does not exist (our necessary 
condition) . 

Namely, as for the sufficient condition, we compute the strong mgo K 
for the ITS control problem {M,T{I),T{G)). If K exists, then a Q QFC 
strong solution to V may be built from K. Note that, if K does not exist, 
a strong solution may exist for some other admissible Q control abstraction 
"H. However, by point [2] of Theor. [HI "H must be lower than A4 in the 
hierarchy lattice (see Fig. [5]). This suggests to compute Ai as the minimum 
(admissible) Q control abstraction of T-L. Since by Prop. [7] we are not able 
to compute the minimum Q control abstraction, we compute A^ as a close 
to minimum admissible Q control abstraction, i.e. an admissible Q control 
abstraction containing as few eliminable self loops as possible (see Ex. [Ijo. 

As for the necessary condition, we compute the weak mgo K for the LTS 
control problem (W, r(J), r(G')). If K does not exists, then a Q QFC (weak 
as well as strong) solution to V cannot exist. Note that, if K exists, a weak 
mgo may not exist for some other full Q control abstraction 'H. However, by 
point [H of Theor. [HI "H must be lower than W in the hierarchy lattice (see 
Fig. \5^. Hence, again by Prop. [TJ we compute W as the close to minimum 
full Q control abstraction, i.e. the full Q control abstraction containing as 
few eliminable self loops as possible. 

6.1 QFC Synthesis Algorithm 

Our QFC synthesis algorithm (function qCtrSyn outlined in Alg. [1]) takes 
as input a DTLHS "H = {X, U, Y, N), a quantization Q = (A, F), and 



^Note that, even if we indeed compute the minimum Q control abstraction, non- 
existence of an mgo would not imply that a Q QFC solution for V does not exist. 
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two predicates I and G over X, such that (7{, J, G) is a DTLHS con- 
trol problem. Function qCtrSyn returns a tuple (//, Z), K), where: /i G 
{Sol, NoSOL, Unk}, D = Dom{K) and i^ is such that the controller K, 
defined by K{x,u) = K{r{x),r{u)) is a Q QFC (strong) solution to the 
control problem {'H,T~^{D),G). 

Algorithm 1 QFC Synthesis algorithm qCtrSyn 

Input: A control problem [1-1, 1, G) and quantization Q = {A,r) 

function qCtrSyn{n, Q, I, G) 

1. /^r(j), G^r(G) 

2. M ^minCtrAbs{n, Q) 

3. ib,D,k) ^ strongCtr{M, /, G) 

4. if b then return (SOL, D, K) 

5. W ^ ininFuUCtrAbs {H, Q) 

6. if existsWeakCtr{yV , I, G) then return (Unk, D, K) 

7. else return (NoSOL, D, K) 

We represent boolean functions (e.g. the transition relation of l-i) using 
OBDDs [12] and sets by using their characteristic functions. For the sake of 
clarity, however, we will present our algorithms using a set theoretic notation 
for sets and predicates over sets. 

Alg. [1] starts (line [1]) by computing a quantization / of the initial region 
I and a quantization G of the goal region G (further details are given in 
Sect.E^D. 

As said in Sect. [6l we want to compute a close to minimum Q control 
abstraction M. of l-i. That is, we want to compute an admissible Q control 
abstraction with as few eliminable self loops as possible, given that we cannot 
hope to rule out all of them by Prop. HI This is done by function ininCtrAbs 
in line [2], which implements an effective heuristic to build Ai (see Sect. 16.41 
for further details about ininCtrAbs). 

Line [3] determines if a strong nigo to the LTS control problem V = 
{Ai,I,G) exists by calling function strongCtr that implements a variant of 
the algorithm in [13] (details are in App. IA.3p . Function strongCtr returns 
a triple {b, D, K) such that K is the strong mgo the LTS control problem 
(A^, 0, G) and D = Dom(Jir) is the maximum region of controllable states. If 
b is True then i^ is a strong mgo for V (i.e. I ^ D) and qCtrSyn returns the 
tuple {Sol, D,k) (lineH]). By Theor. [H](point [I]), K{x,u) = k{T{x),T{u)) 



25 



is a Q QFC solution to the DTLHS control problem (7/, J, G). Otherwise, in 
lines [3H7] qCtrSjn tries to establish if such a solution may exist or not. 

Function minFuUCtrAbs in line [5] computes the close to minimum full 
Q control abstraction W of "H (see Sect. 16.51 for further details about min- 
FuUCtrAbs). Line [6] checks if a weak nigo for the LTS control problem 
V' = (VV, /, G) exists by calling function existsWeakCtr , which is based on 
the algorithm in [13] (details are in App. IA.3p . 

If function existsWeakCtr returns FALSE, then a weak mgo to the LTS 
control problem V' does not exist, and by Prop. [2] no weak solution exists 
to P. By Theor. E (point [3]), no Q QFC solution exists for the DTLHS 
control problem ("H, J, G) and accordingly qCtrSyn returns NoSOL (line [7]). 
Otherwise no conclusion can be drawn and accordingly Unk is returned 
(line [6]). In any case, the strong mgo K for V for the (close to) minimum 
control abstraction is returned, together with its controlled region D. 

6.2 Synthesis Algorithm Correctness 

The above considerations imply correctness of function qCtrSyn (and thus 
of our approach), as stated by the following theorem. 

Theorem 9. Let Ti be a DTLHS, Q = {A,r) be a quantization, and (H, 
I , G) be a DTLHS control problem. Then qCtrSynfH, Q, I , G) returns a 
triple (n, D, k) such that: /i G {SOL, NoSOL, Unk}, D = Dom(J^) and 
K, defined as K{x,u) = K{r{x),r{u)) is a Q QFC solution to the control 
problem {'H,T~^{D),G). Furthermore, the following holds. 

1. If fJ' = Sol then I C r~^{D) and K is a Q QFC solution to the control 
problem ("H, J, G). 

2. If fi = NoSOL then there is no Q QFC solution to the control problem 

inj,G). 

Proof. If function qCtrSyn returns (SOL, D, K), then function minCtrAbs 
has found an admissible Q control abstraction Ai oi Ti (see Prop. [TOj) and 
function strongCtr has found the strong mgo K to the control problem {A4, 
r(J), r(G)). By Theor. E (pointy the controller K, defined by K{x,u) = 
K(r{x),r{u)) is a Q QFC strong solution to the control problem ("H,/, G). 
If function qCtrSyn returns (NoSOL, D, K), there is no weak solution to 
the control problem (W, r(/), r(G)), where W is the close to minimum full 
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control abstraction of % computed by function ininFuUCtrAbs (Prop. [TU]) . 
Therefore, by Theor. [S] (point [3]) there is no Q QFC solution to the control 
problem (H, /,(?). 

n 

Note that if /i = Unk then function qCtrSyn is inconclusive, that is 
{T-L, I, G) may or may not have a Q QFC solution. This case stems from 
undecidability of the QFC problem (Theor. [3]). 

Remark 2. We note that function strongCtr (see Alg. ^ returns a (worst 
case) time optimal controller, that is a controller that in each state enables 
the actions leading to a goal state in the least number of transitions. How- 
ever the controllers we generate may not be time optimal for the real plant. 
In fact, self loops elimination shrinks all concrete sequences of the form 
Xn, Un, Xn+i,Un+i, • • • , Xm-i, Mm-1, ^m i^ cvcry path of LTSiTi) into a single 
abstract transition (r(x„), r(M„), r(a;m)) of Ai whenever r{xn) = r(x„,+i) = 
... = r(a:m-i) and r(n„) = r(u„+i) = ... = r(um-i)- This leads to mis- 
matches between the length of paths in the plant model and those in the con- 
trol abstraction used for the synthesis. Moreover, nondeterminism added by 
quantization might lead to prefer an action Ui to an action U2 for an abstract 
state X, whilest actions in U2 might be better for some real states inside x. 
Finally, since we are not able to compute the minimum control abstraction, 
we may discard a possibly optimal action u because of an eliminable self loop 
(x, «,£) on a non-goal state x. For these reasons we refer to our controller 
as a near time optimal controller. 

6.3 Quantization 

As usual in the following H = (X, U, F, N) is a DTLHS, Q = {A, F) is a 
quantization for "H, and ("H, /, G) is a DTLHS control problem. The control 
abstraction to be built is ?^ = {r{Ax), T{Au), N). 

In our algorithms, we consider F only in equality tests of type (F(H^) = 

v) = AiG[\w\]i^wA^i) = ^«)' where W = [wi, . . . ,w\w\] may be X,X' or 
U. More in detail, in our algorithms we have to solve problems of type 
P{W) = (max, J{W),L{W) A (T{W) = v)), being JiW) a hnear expression 
and L(W) a conjunctive predicate. If also (F(iy) = w) is a conjunctive 
predicate, we have that P{W) is a MILP problem, thus allowing us to use 
a MILP solver on P{W). To this aim, we restrict ourselves to quantization 
functions 7^„^ for which equality tests can be represented by using conjunctive 
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predicates. For w & X U U, a typical example is the uniform quantization 

7^ : Aw — ;■ [0, A„, — 1], defined for a given A„, as follows. Let 5„, = (sup A^ — 
inf y4^)/A^. We have that 'jwi'w) = ;2 if and only if the conjunctive predicate 
P^„ {w, z) = inf Au, + SwZ < w < inf A^j + (5^(z + 1) holds. 

Remark 3. Note that, strictly speaking, the conjunctive predicate P^^{w,z) 
represents a relaxation of jwiw) = z. In fact, for all k G [1, A^^ — 1] we have 
that P^^(inf74^ + 6u,k,k — 1) A ^^^(infA^ + 6u,k,k). This may introduce 
spurious transitions: such transitions may increase nondeterminism in the 
control abstraction, but do not affect soundness of our algorithm. 

We may now explain how /, G are effectively computed in line[T]of Alg. [TJ 
Since the initial region I is represented as a conjunctive predicate, its quanti- 
zation I is computed by solving |r(74x)| feasibility problems. More precisely, 
I = {x \ feasible{I{X) A T{X) = x)}. Similarly, the quantization G of the 
goal region G is G = {x \ feasible(G{X) A r(X) = x)}. 

Algorithm 2 Building control abstractions 

Input: A DTLHS H = (X, U, Y, N) and a quantization Q = {A, T). 

function minCtrAbs ("H, Q) 

1. N ^ 

2. for all X e T{Ax) do 

3. for all u G T{Au) do 

4. if -1 Q- admissible (7i, Q,x,u) then continue 

5. if selfLoopCH, Q, x, u) then N ^ N U {{x,u,x)} 

6. O ^ overlmgiTi, Q,x,u) 

7. for all x' G T{0) do 

8. if X ^ x' AexistsTransiTi, Q,x,u,x') then 

9. N^NU{{x,u,x')} 
10. return N 



6.4 Computing Minimum Control Abstractions 

In this section, we present in Alg. [2] function minCtrAbs, which effectively 
computes a close to minimum Q control abstraction for a given DTLHS. 

Starting from the empty transition relation (line [1]) function miinCtrAbs 
checks for every triple {x,ii,x') G r{Ax) x r{Au) x r{Ax) if the transition 
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(x, M, x') belongs to the (close to) mininium control abstraction and accord- 
ingly adds it to A^ or not. 

For any pair {x,u) in r{Ax) x T{Au) line H] checks if u is Q- 
admissible in x. This check is carried out by determining if the predicate 
P{X, U, y, X', X, u) = N{X, f/, Y, X') A T{X) =xA T{U) = u A X' ^ Ax is 
not feasible. If u is not Q-admissible in x (i.e., if P{X, U, Y, X', x, u) is feasi- 
ble), no transition of the form (£, u, x') is added to A^. Note that X' ^ Ax is 
not a conjunctive predicate, thus feasibility of predicate P{X,U,Y,X' ,x,u) 
cannot be directly checked via function feasible. We implement such a check 
by calling 2\X\ times function feasible in the following way. For each x' G X', 
let p-,{X,U,Y,X\x,u) = N{X,U,Y,X')AT{X) = xAT{U) =uAx' <miA^ 
and P+(X, f/, r, X', X, u) = N{X, U, Y, X') A T{X) = xA T{U) = u A x' > 
sup Ax- For each x' G X', we call function feasible on P^ and P^, sepa- 
rately. If all such 2\X\ calls return FALSE, then P is not feasible, otherwise 
P is feasible. Note that by Def. [13] we should also check that Vx G r~^(x) 
Vn G r^^(n) 3x' G "Dx 3y G Py N{x,u,y,x'). This cannot be checked via 
function feasible. We therefore perform such a check by using a tool for 
quantifier elimination, namely Mjollnir |36j . 

If u is Q-admissible in x, line [5] checks if the self loop (x, u, x) has to 
be added to A^. To this aim, we employ a function selfLoop which takes a 
(state, action) pair (x, u) and returns FALSE if, accordingly to Def. [131 the 
self loop (x,'U,x) is eliminable (i.e., it need not to be in A^). Details about 
our gradient based heuristic implemented in function selfLoop are given in 
Sect. MM 

Function overling (line [6]) computes a rectangular region O, that is a 
quite tight overapproximation of the set of one step reachable states from 
X via u. O is obtained by computing for each state variable Xj the mini- 
mum and maximum possible values for the corresponding next state variable. 
Namely, O = ni=i,...,|x|[7xi('^j),7xi(M)] where m, = optimalValue{mm, x-, 
N{X, U, Y, X')AA(x')Ar{X) = xAr{U) = u) and Mi = optimalValue{max, 
x'i, N{X, U, Y, X') A A{X') A T{X) = x A T{U) = u). 

Finally, for each abstract state x' G T{0) line [S] checks if there exists a 
concrete transition realizing the abstract transition (x, u, x') when x 7^ x' . 
To this end, function existsTrans solves the MILP problem N{X, U, Y, X') A 
T{X) = X A T{U) =uA T{X') = x'. 

Remark 4. From the nested loops in lines {^{^{^we have that minCtrAbs 
worst case runtime is 0{\r{Ax)\'^\l^{Au)\). However, thanks to the heuris- 
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tic implemented in function overling, minCtrAbs typical runtime is about 
0{\r{Ax)\\T{Au)\) as confirmed by our experimental results (see Sect. [^ 
Fig. [^. The same holds for function ininFuUCtrAbs (see Sect. \6.5\) . 

Remark 5. Function minCtrAbs is explicit in the (abstract) states and ac- 
tions of % and symbolic with respect to the auxiliary variables (modes) in 
the transition relation N ofH. As a result our approach will work well with 
systems with just a few state variables and many modes, our target here. 

6.5 Computing Minimum Full Control Abstraction 

Function minCtrAbs can be easily modified in order to compute the close to 
minimum full Q control abstraction, thus obtaining function minFuUCtrAbs 
called in Alg. [H line [51 

More precisely, function minFuUCtrAbs is obtained by removing the high- 
lighted code (on grey background) from Alg. [21 namely the admissibility check 
in line[ll Correctness of functions minCtrAbs and minFuUCtrAbs is stated 
by the following proposition (details are in App. lA.Sp . 



Proposition 10. Let H = {X,U,Y,N) be a DTLHS and Q = (A, T) be a 
quantization for "H. 

If N is the transition relation computed by minCtrAbs (T-L, Q) then H = 
{r{Ax),T{Au),N) is an admissible Q control abstraction ofH. 

If N is the transition relation computed by minFuUCtrAbs (H, Q) then 
H = {r{Ax),T{Au),N) is a full Q control abstraction ofH. 

6.6 Self Loop Elimination 

In order to exactly get the minimum control abstraction, function selfLoop 
should return TRUE iff the given self loop is non-eliminable. This entails 
checking condition [3l of Def. [131 namely: P{x,u) = 37rVt G N 7r'^'^^(t) G 
r~^(x) A TT^'^^t) G T~^(u), which is undecidable by Prop. [H Function self- 
Loop, outlined in Alg. [3l checks a sufficient condition for self loop elimination 
that in practice turns out to be very effective. That is, function selfLoop re- 
turns False when a self loop is eliminable (or there is not a concrete witness 
for it). On the other hand, if function selfLoop returns TRUE, then the self 
loop under consideration may be non-eliminable as well as eliminable. In a 
conservative way, we assume self loops for which function selfLoop returns 
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True to be non-eliminable (i.e. they are added to the close to minimum 
control abstraction, see line |5] of Alg. [2]). 

Algorithm 3 Self loop elimination 

Input: A DTLHS U = {X, U, Y,N),a quantization Q = {A, T), an abstract 

state X, and an abstract action u. 
function selfLoop{'H, Q, £, u) 

1. ii -iexistsTrans{x,u,x) then return False 

2. for i = 1 to |X| do 

3. Wi ^ optimalValue{mm, x\ - Xi, N{X, U, Y, X') A T{X) =xA T{U) = 
uAT{X') =x) 

4. if Wi > then return False 

5. Wi ^ optimalValue{max, x'^-Xi, N{X, U, Y, X') Ar(X) = xAT^U) = 
uAT{X') =x) 

6. iiWi<0 then return False 

7. return TRUE 

Function selfLoop in Alg. [3] works as follows. First of all it checks if there 
is a concrete witness for the self loop under consideration. If it is not the 
case, selfLoop returns FALSE (lined]). Otherwise, for each real variable Xi, it 
tries to establish if Xj is either always increasing or always decreasing inside 
r~^{x) by performing actions in r~^{u). 

The minimum (resp. maximum) variation Wi (resp. Wi) of the variable 
Xi caused by performing an action u G r~^('u) in r~^(x) is computed by 
solving the MILP problem in line [3] (resp. [5]). If for some i, Wi is strictly 
positive, x'i — Xi is strictly positive and then Xi is always increasing inside 
r~^(x) by performing actions in r~^('u). Since r^^(x) is a compact set, 
no Zeno-phenomena may arise and hence, executing actions in r~^('u), it is 
guaranteed that "H will eventually leave the region r~^(i;) (lineHj). Similarly, 
if for some i, Wi is strictly negative, x'^ — Xi is strictly negative and then Xi 
is always decreasing inside r~^(x) by performing actions in r~^('u) (linelH]). 

Correctness of function selfLoop follows from the considerations given 
above, and is stated by the following proposition (details are in App. IA.7p . 



Proposition 11. Letn = {X, U, Y, N) be a DTLHS, Q = {A, F) be a quan- 
tization for l-i, X E T{Ax), and u G T{Au)- If the abstract self loop (x, u, x) 
has a concrete witness and selfLoopiTi, Q, x, u) returns FALSE, then (x, u, x) 
is an eliminable self loop. 
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Note that if selfLoop{x,u) returns True, P{x,u) may be false, thus by 
Prop. [TT] P(a;, u) — ?■ selfLoop{x, u). This can also be formulated as follows: if 
(£, M, x) is a non-eliminable self loop, then selfLoop{x, u) returns TRUE (but 
the viceversa does not hold). The heuristic implemented in function selfLoop 
in practice leads to a control abstraction very close to the minimum one as 
shown by our experimental results (see Tab. [T]in Sect. [S]). 

7 Control Software Generation 

In this section we describe how we synthesize the actual control software 
(C functions Control_Law and Controllable_Region in Sect. [T]) and show 
how we compute its WCET. More details are given in [321 EI] (details are in 
App.p. 

First, we note that given an OBDD B, we can easily generate a C func- 
tion implementation obdd2c{B) for the boolean function (defined by) B by 
implementing in C the semantics of OBDD B. We do this by replacing each 
OBDD node with an if -then-else block and each OBDD edge with a goto 
instruction. When multiple OBDDs are translated via obdd2c, sharing be- 
tween such OBDDs may be taken into account by maintaining an hash table 
of already translated OBDD nodes. 

Let (/i, D, K) be the output of function qCtrSyn in Alg. [T] We synthesize 
function Controllable_Region by computing obdd2c{D). 

Let r (resp. n) be the number of bits used to represent plant actions 
(resp. states). Let F : B" — > B'' be any boolean function such that, for 
each quantized state x, if D{x) holds then also K{x,F{x)) holds. In other 
words, F is a boolean function returning, for each quantized state x in the 
controllable region D = Dom(i^), a quantized action u such that K{x,u) 
holds. In a hardware synthesis setting, techniques to compute F satisfying 
the above functional equation have been widely studied (e.g. see j^). In 
our software synthesis setting we follow the approach presented in [l3] to 
compute such an F. Let Fi : B*^ — )■ B be the boolean function computing 
the i-th bit of F. That is, F{x) = [Fi{x), . . . , Fr{x)]. Then, we take function 
Control_Law to be (the C implementation of) [obdd2c{Fi) , . . . , obdd2c{Fr)]. 



32 



7.1 Control Software WCET 

We can easily compute the WCET for our control software. In fact all OB- 
DDs we are considering have at most n variables. Accordingly, the execution 
of the resulting C code will go through at most n instruction blocks consist- 
ing essentially of an if -then-else and a goto statement. Let Tb be the 
time needed to compute one such a block on the microcontroller hosting the 
control software. Then we have that the WCET of Controllable_Region 
[Control_Law] is less than or equal to n ■ Tg \r -n- Tb\- Thus, neglecting I/O 
times, each iteration of the control loop (see Fig. [1]) takes time (control soft- 
ware WCET) at most {r + 1) -n-TB- Note that a more strict upper bound for 
the WCET may be obtained by taking into account OBDDs heights (which 
are by construction at most n). Thus, the control software WCET is at 
most WCET = ^[+^^ height (Fi)TB, where F^+i = D (i.e. the OBDD for 
the controllable region). The control loop (Fig. H]) poses the hard real time 
requirement that the control software WCET be less than or equal to the 
sampling time T. This is the case when WCET < T holds. Such an equa- 
tion allows us to know, before hand, the realizability of the foreseen control 
schema. 



8 Experimental Results 

We implemented our QFC synthesis algorithm in C programming language, 
using GLPK to solve MILP problems and the CUDD package for OBDD 
based computations. We name the resulting tool QKS ( Quantized feedback 
Kontrol Synthesizer) . 

In this section we present our experiments that aim at evaluating ef- 
fectiveness of: the control abstraction generation, the synthesis of OBDD 
representation of control law, and the control software size, performance, 
and guaranteed operational ranges (i.e. controllable region). Note that con- 
trol software reaction time (WCET) is known a priori from Sect. 17.11 and its 
robustness to parameter variations in the controlled system as well as en- 
forcement of safety bounds on state variables are an input to our synthesis 
algorithm (see Ex. [T]and Sect. 18. ip . 
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8.1 Experimental Settings 

We present experimental results obtained by using QKS on a version of 
the buck DC-DC converter described in Sect. 13.11 We denote with H. = 
{X, U, Y, N) the DTLHS modeling such a converter, where X, U are as in 
Sect. I3.lt whilest Y and A^ extends Y and A^ given in Sect. 13.11 as described 
in the following. A^ is the conjunction of Eqs. fl5])-f lTT]) of Sect. 13. H and other 
additional contraints defined in the following. 
We set the parameters of "H as follows: 

rL = 0.1Jl L = 2-l{)~'^H r = 10"^ sees i? = 5 ± 25%0 
re = 0.1J] C = 5-10-5F y, = 15±25%T/ 

and require our controller to be robust to foreseen variations (25%) in the 
load {R) and in the power supply iVi). Variations in the power supply are 
modeled by adding Eqs. (IT^ and fll4p to A^ (note that such constraints 
replace Eq. (IT2|) in Sect. 13. H see also Ex. [1]): 

VD<Vu-Vr{l-pvd (13) VD>Vu-Vi{l + pvd (14) 

being the tolerance py. = 25%. Along the same lines, "H models also vari- 
ations in the load R. However, since "H dynamics is not linear in R, much 
more work is needed [33]. For the sake of brevity, we simply point out that 
modeling variations in the load R requires 11 auxiliary boolean variables to 
be added to Y, thus obtaining Y, and 15 (guarded) constraints to be added 
to A^ (details are in App. [E|) . 

For converters, safety (as well as physical) considerations set require- 
ments on admissible values for state variables (admissible regions). We set 
Aij^ = [—4,4] and At,^ = [—1,7]. Since the action variable u is boolean, 
we have A^ = B. We define A = Ai^ x A^^ x A^. Note that robust- 
ness requires that, notwithstanding nondeterministic variations (within the 
given tolerances) for power supply and load, the synthesized controller al- 
ways keeps state variables within their admissible region A. As for auxiliary 
variables, we use the following safety bounds: Ai^ = Ai^ = [—10^, 10^] and 
Ay^ = Ay^ = [—10'^, 10"^]. As a result, we add 12 further constraints to A^ 

stating that Ay,e{iL,vo,iu,iD,vu,vo}'^ ^ ^^ ES (details are in App. E]). 

Finally, the initial region / and goal region G are as in Ex. El thus the 
DTLHS control problem we consider is P = {T-L, I, G). Note that no (formally 
proved) robust control software is available for buck DC-DC converters. 
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We use a uniform quantization dividing the domain of each state variable 
{iLiVo) into 2* equal intervals, where h is the number of bits used by AD 
conversion (thus w.r.t. Sect. 16.31 we have that Aj^ = A^,^ = 2''). We call the 
resulting set of quantization functions F^ = {7ii,7i)o,7n}, where 7„ is the 
identity function. The resulting quantization is Qi, = (A, r^). The quantiza- 
tion step for T, is ||rj = ||7,J| = \\r,o\\ = lAAf^' = IAol/2' = 2^-'. Since 
we have two quantized variables (z^, vq) each one with b bits, the number 
of states in the control abstraction is exactly 2^''. Note that the quantiza- 
tion Q and the transition relation of "H are s.t. Vs G r{Ax) Vm G r{Au) 
Vs G r-i(s) \/u G T~^{u) 3s' eVx^y e Vy N{s,u,y,s'). This allows us to 
skip the Mjollnir check described in Sect. 16. 4[ 

For each value of interest for b, we run QKS, and thus Alg. [H on the 
control problem [T-t, I, G) with quantization Qb. In the following, we will call 
A4b the close to minimum Qb control abstraction for "H, Tib the maximum full 
Qb control abstraction for "H (which we compute for statistical reasons only) , 
Kb the strong nigo for Vb = {-Mb, 0) ^b{G)), Db = Dom(A'f,) the controllable 
region of Kb, and Kb{s,u) = Kb(Tb{s),Tb{u)) the Qb QFC solution to the 
control problem Vb = {'H, T^^{Db), G). All our experiments have been 
carried out on a 3.0 GHz Intel hyperthreaded Quad Core Linux PC with 8 
GB of RAM. 



8.2 QKS Performance 

In this section we will show the performance (in terms of computation time 
and memory) of algorithms discussed in Sect. [6l Our MILP based technique 
requires that Ti is represented by conjunctive predicates. The DTLHS mod- 
elization Ti of the buck DC-DC converter given in Sect. 18.11 makes use of 
guarded predicates. The tranformation given in Prop. [T] requires that "H is 
bounded, as it is indeed the case. 

Tabs. [T]and|2]show our experimental results for QKS (and thus for Alg. [1]). 
Columns in Tab. [T]have the following meaning. Column b shows the number 
of AD bits. Columns labeled Control Abstraction show performance for Alg. [2] 
(computation of Aib) and they show running time (column CPU, in sees), 
memory usage {MEM, in bytes), the number of transitions in Aib (Arcs), the 
number of self loops in Tib (MaxLoops) , and the fraction of self loops that 
are kept in Mb w.r.t. the number of self loops in Tib (LoopFrac) . 

Columns labeled Controller Synthesis show the computation time (col- 
umn CPU, in sees) for the generation of Kb, and the size of its OBDD rep- 
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Table 1: Buck DC-DC converter (Sect. [3]): control abstraction and controller synthesis results. 
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Figure 6: Number of Figure 7: Average of Figure 8: Controlled re- 
MILP4 calls MILP calls gion with 6 = 10 bits 

resentation [OBDD, number of nodes). The latter is also the size (number 
of lines) of Kf, C code synthesized implementation. Finally, columns labeled 
Total show the total computation time (column CPU, in sees) and the mem- 
ory {MEM, in bytes) for the whole process (i.e., control abstraction plus 
controller source code generation), as well as the final outcome fi G {SOL, 
NoSOL, Unk} of Alg. [H 

From Tab. [1] we see that computing control abstractions (i.e. Alg. [2]) is 
the most expensive operation in QKS and that thanks to function SelfLoop 
Aib contains no more than 2% of the loops in 'Hb. 

8.2.1 MILP problems Analysis 

For each MILP problem solved in QKS, Tab. |2] shows (as a function of b) the 
total and the average CPU time (in seconds) spent solving MILP problems, 
together with the number of MILP problems solved, divided by different 
kinds of MILP problems as follows. MILPl refers to the MILP problems 
described in Sect. 16.31 i.e. those computing the quantization for / and G, 
MILP2 refers to MILP problems in function SelfLoop (see Alg. [3]), MILP3 
refers to the MILP problems used in function overling (line [6] of Alg. |2]), 
MILP4 refers to MILP problems used to check actions admissibility (line [8] 
of Alg. [2]), and MILP5 refers to MILP problems used to check transitions 
witnesses (line H] of Alg. [2]). Columns in Tab. |2]have the following meaning: 
Num is the number of times that the MILP problem of the given type is 
called. Time is the total CPU time (in sees) needed to solve all the Num 
instances of the MILP problem of the given type, and Avg is the average 
CPU time (in sees), i.e. the ratio between columns Tim,e and Num (details 
are in App. [B]). Fig. [6] graphically shows (as a function of b) the number of 
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Table 2: Buck converter: number of MILPs and time to solve them fsecs) 
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5.7e+05 


5 


4.3e+05 
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1.2e+02 
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MILP4 instances solved (column Num of columns group MILP4 in Tab. [2]). 
From Tab. ^ column Avg, we see that the average time spent solving 
each MILP instance is small. Fig. [7] graphically shows that MILP average 
computation time does not heavily depend on b. As observed in Remark 
m Fig. [6] shows that the number of MILP4 invocations is much closer to 
|r(y4x)||r(^[/)| = 2^''"''^, rather than the theoretical worst case running time 
|r(^x)|^|r(^[/)| = 2^^+^ of Alg.d This shows effectiveness of function over- 
ling heuristic. 

8.3 Controller Performance 

In this section we discuss the performance of the generated controller. Fig. 
[9] shows a snapshot of the QKS synthesized control software for the Buck 
DC-DC converter when 10 bits (6 = 10) are used for AD conversion. 



int Controllable_Region ( int *x) { int ret_b = 0; 




L_2af 64al : if (x[2] == 1) goto L_2b001e0 ; 




else { ret_b = !ret_b; goto L_2af f f 40 ; 


} 


L_21f 95e0 : return ret_b; 




L_2b07f00: if (x[14] == 1) goto L_21f95e0; 




else goto L_2b07ee0 ; 




/* ... */ } 




int Control_Law ( int *x, int *a) { 




a [0] = Control_Law_Bits (x , 0); return 0; } 




int Control_Law_Bits ( int *x, int b) { int ret_b; 




switch(b){ case 0: ret_b = 0; goto L_2af 6081 ; } 




L_2af 6081 : if (x[2] == 1) goto L_2a6d2e0 ; 




else { ret_b = !ret_b; goto L_2af 6060 ; 


} 


L_21f 95e0 : return ret_b; 




/* ... */ } 





Figure 9: A snapshot of the synthesized control software for the Buck DC-DC 
converter with 10 bit AD conversion. 



8.3.1 Controllable Region 

One of the most important features of our approach is that it returns the guar- 
anteed operational range (precondition) of the synthesized software (Theor. 
[9]). This is the controllable region D returned by Alg. [H In our case study, 9 
bit turns out to be enough to have a controllable region that covers the initial 
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region |33j . Increasing the number ot bits, we obtain even larger controllable 
regions. Fig. |S] shows the controllable region Diq = T^q{Diq) for Kiq along 
with some trajectories (with time increasing counterclockwise) for the closed 
loop system. We see that the initial region / C Diq. Thus we know (on a 
formal ground) that 10 bit AD conversion suffices for our purposes. 

8.3.2 Setup Time and Ripple 

Our model based control software synthesis approach presently does not han- 
dle quantitative liveness specifications. Accordingly, quantitative system level 
formal specifications have to be verified a posteriori. This can be done using 
a classical Hardw are- In-the- Loop (HIL) simulation approach or, even better, 
following a formal approach, as discussed in [201 [25] . In our context HIL 
simulation is quite easy since we already have a DTLHS model for the plant 
and the control software is generated automatically. 

To illustrate such a point in this section we highlight HIL simulation 
results for two quantitative specifications typically considered in control sys- 
tems: Setup Time and Ripple. 

The setup time measures the time it takes to reach the goal (steady state) 



when the system is turned on. Fig. 10(a) shows trajectories starting from 



point (0,0) for i^g, Kiq and Kn as well as the control command sent to 



the MOSFET (square wave in Fig. 10(a)) for Ku. Note that all trajectories 



stabilize (steady state) after only 0.0003 sees (setup time). 

The ripple measures the wideness of the oscillations around the goal 



(steady state) once this has been reached. Fig. 10(b) shows the ripple for the 
output voltage after stabilization. For Kn we see that the ripple is about 
0.01 V, that is 0.2% of the reference value V^ef = 5 V. 

It is worth noticing that both setup time and ripple compare well with 
typical figures of commercial high-end buck DC-DC converters (e.g. see 

157] ) and with the results available from the literature (e.g. pUf H5]). 



9 Conclusions 

We presented an algorithm and a tool QKS implementing it, to support a 
Formal Model Based Design approach to control software. Our tool takes 
as input a formal DTLHS model of the plant, implementation specifications 
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Figure 10: Controller performances: setup time and ripple. 

(namely, number of bits in AD conversion), and system level formal specifica- 
tions (namely, safety and liveness properties for the closed loop system). It 
returns as output a correct-by-construction C implementation (if any) of the 
control software (namely, Control_Law and Controllable_Region) with a 
WCET guaranteed to be linear in the number of bits of the quantization 
schema. We have shown feasibility of our proposed approach by present- 
ing experimental results on using it to synthesize C controllers for the buck 
DC-DC converter. 

In order to speed-up the computation and to avoid possible numerical er- 
rors due to MILP solvers [38], a natural possible future research direction is to 
investigate fully symbolic control software synthesis algorithms based on ef- 
ficient quantifier elimination procedures (e.g., see [3^ and citations thereof). 
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A Proofs 

A.l From Bounded Predicates to Conjunctive Predi- 
cates 

In this section, we prove Prop. [T] 

Proposition 1. For each bounded guarded predicate P{X), it is possible to 
compute an equivalent bounded conjunctive predicate Q{X). 

Proof. Predicate Q{X) is obtained from the guarded predicate P{X) by re- 
placing each guarded constraint ^p in P{X) with an equivalent linear con- 
straint if* . We construct such a linear constraint (/?* as follows. Let x E X. 
Since P{X) is bounded there exist m^., M^ G V^ such that P{X) implies 
'^a; < a^ < M^. Let a be a real number and x E X. We write sup(ax) 
[inf (ax)] for aM^ {amx\ when a > and for am^ \aM^ when a < 0. Let L{X) 
= Y^^=i'^i^i ^^ ^ linear expression. We write sup(L(X)) for ^"^^^ sup(ajXj) 
and inf(L(X)) for ^"^^ inf(aiXi). Let ^ be 2 -> {L{X) < h). We pick ^* to 
be the linear constraint (sup(L(X)) — h)z + L{X) < sup(L(X)). If 2; = we 
have 99 = 93* since ip holds trivially and ip* reduces to L{X) < sup(L(X)) 
that holds by construction. If z = 1 both ip and ip* reduce to L{X) < b. 
Along the same line of reasoning, if ip has form z — )■ {L{X) < b) we pick ip* 
to be (6 - sup(L(X)))z + L{X) < b. 

D 

A. 2 Uniqueness of the Most General Optimal Controller 

In this section, we prove Prop. O 

Proposition 2. An LTS control problem (5, 0, G) has always an unique 
strong mgo K* . Moreover, for all I C S , we have: 

• if I ^ Dom(if*), then K* is the unique strong mgo for the control 
problem (5, /, G); 

• if I ^ Dom.{K*), then the control problem {S,I,G) has no strong so- 
lution. 
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Proof. Let S = {S, A, T) be an LTS, and let (5, /, G) be an LTS control 
problem. We define the sequences of sets Dn and F„ as follows: 

Do = 

Fi = {s e S \3ae A.a e Adm{S,s) Almg{S,s,a) CG} 

Fn+i = {s e S \ Dn \ 3a e A.a G Adm(5, s) A Img(5, s, a) C £)„} 

Dn+l = Dn U Fn+l 

Intuitively, Dn is the set of states which can be driven inside G in at most 
n steps, notwithstanding nondeterminism. Fn is the subset of Dn containing 
only those states for which at least a path to G of length exactly n exists. 

The following properties hold for Dn and F„: 

1. li Fn = for some n > 1, then for all m > n, Fm = 0- In fact, if 
Fn = 0, then Dn = -Dn-i? and hence Fn+i = Fn = 0. 

2. If Dn+i = Dn for some n > 0, then for all m > n, Dm = Dn- This 
immediately follows from the previous point [T] 

3. Dn = Ui<7<n-^j ^°^ n > 1 (also for n > if we take the union of 
no sets to be 0). We prove this property by induction on n. As for 
the induction base, we have that Di = Fi. As for the inductive step, 

Dn+l = DnU Fn+1 = Ul<j<n ^j ^ Fn+1 = Ul<j<n+1 ^j- 

4. Fi nFj = for all i ^ j. We have that if s G F„+i then s ^ Dn- By 
previous point [3l we have that s ^ -D„ implies s ^ Fj for 1 < j < n. 
Hence, s G -Fn+i implies that s ^ Fj for all 1 < j < ra. If by absurd a 
state s exists s.t. s G -Fj fl Fj for some i > j, then s E F^ would imply 
s i F,. 

For all s G S* and a G A, we define the controller K : S x A ^ M a,s 
follows: 

k{s,a) ^ {3n> l.s e FnAa e Adm{S,s) Almg{S,s,a) C Dn-i) 
V(s G Fi A a G Adm(>S, s) A Img(5, s, a) C G) 

Note that Dom(_R') = D = UneN-^"' i-^- ^^^ domain of K is the least 
upper bound for sets Dn (we are not supposing S to be finite, thus there may 
be a nonempty Z)„ for any ri G N). 

K is a strong solution to {S,0,G). To prove this, we show that, 
if t G Fn, then Jstrong('5^^\ G, t) = n (note that t G Dom(i^) implies 
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t E Fn for some n > 1). In fact, if t G -Fi then Jstrong{S'^^\G^t) = 
sup{j(^)(5(^),G,t,a) I aG Adm(5(^),t)} = sup{j(^)(5(^),G,t,a) | a is s.t. 

^ Img(5,t,a) C G} = sup{sup{J(5(-^),G,7r) | vr G Path{S^^\t,a)} \ a is 
s.t. 7^ Img(5,t,a) C G} = sup{J(5(^), G, tt) | vr G {vr G Fath{S^^\t,a) 

1 a is s.t. 7^ Img(5,t, a) C G}} = sup{min{n \ n > A 7r^^\n) G G} \ 
vr G {vr G Path(5(^), t, a) | a is s.t. ^ lmg{S,t,a) C G}}. Since for all 
vr G {vr G Fath.{S^^\t,a) \ a is s.t. 7^ liag{S,t,a) C G} we have that 
vr('5)(l) G G, we finally have that Jstrong(5(^), G, t) = sup{l} = 1. On the 
other hand, if t G F„ then Jstrong('5'''^-', G, t) = sup{min{?7, | n > OAn^^\n) G 
G} I vr G {vr G Fath{S^^\t,a) \ a is s.t. ^ Img(5,t,a) C Dn-i}} = 
sup{ni, . . . ,nj, . . .}. We have that, for all j, rij < n. In fact, being t E Fn 
and a s.t. 7^ Img(iS, t, a) C Dn-i, we have that vr^'^)(l) G -D„_i for all paths 
vr G Path(5(^),t,a). This implies that vr(^)(l) G L'n-a V vr(^)(l) G F„_i. 
By property [3] above, this implies that there exists 1 < i < n — 1 s.t. 
vr'^'^)(l) G Fi. By iterating n — 1 times such a reasoning, we obtain that 
there exists 1 < i < n s.t. n^^^i) G G, which implies rij < n for all j. 
Moreover, there exists a path vr G Path(i5^^\ t, a) s.t. vr'''^'*(n) G G and for 
all < z < n we have that ii^^^i) ^ G. Suppose by absurd that for all 
paths vr G Path(5(^\ t, a) we have that, if for a\\ < i < n n^^^i) ^ G, then 
vr*^'^)(n) ^ G. By using an iterative reasoning as above, it is possible to show 
that this contradicts t being in F„ and a being s.t. 7^ Img(i5, t, a) C Dn-i- 
Thus, being Uj < n for all j and existing a j s.t. rij = n, we have that 

^strong (5^^), G, t) = SUp{ni, ..., Uj ,...} = Tl. 

Note that also the converse holds, i.e. Jstrongi<S^^^\G,t) = n implies 
t G Fn- This can be proved analogously to the reasoning above. 

To prove that K is optimal, let us suppose that there exists another 
solution K and that there exists a nonempty set Z of states, such that for 
all z G Z, J^t^ong{S'^^\G,z) > Jstiong{<S^^\G, z). Let zq E Z he a state for 
which Jstiong{<S^^\G, Zq) = n is minimal in Z, and let a G A be such that 
K{zQ,a). 

We have that n = 1 implies that Img(iS, zq, a) C G. But in such a case, zq 
would belong to Fi, and hence Jstvong{<S^^\ G, Zq) = 1 = Jstrong('5^'^'*, G, zq). 

If 77, > 1, for all s G Img(5, Zq; ct), we have that Jstrong('5^'^'*, G, s) < 
n — 1. Since n is the minimal distance for which JstTong{S^^\ G , z) > 
JstYongi<S^^\ G , z) = n, we have that for all s G Img(iS, 2:0, a), 
JstTongi<S^^\ G , s) < Jstrong{<S^^''\ G , s) < 77.-1. This implies that, 
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■^strong ('5^^'', G, ^o) < n, which is absurd. 

To prove that K is the most general optimal solution, we proceed in a 
similar way. Let us suppose that there exists another optimal solution K and 
that there exists a nonempty set Z of states, such that for all z E Z there 
exists an action a s.t. K{z, a) and -iK{z, a) holds. Let zq E Z he a. state for 
which J&trong{S'^^\ G, Zq) = n is minimal in Z. 

If n = 1 we have that Img(iS, Zq, a) C G and thus Zq G Fi and K{zq, a), 
which leads to a contradiction. 

If n > 1, by minimality of Jstrong{<S^^\ G , zq) in Z we have that, for all 
s G lm.g{S, ZQ,a), K{s,u) implies K{s,u). This implies that lmg{S,zo,a) G 
-D„_i and thus K{zq, a) holds. 

n 

A. 3 LTS controller synthesis 

Symbolic (OBDD based) control software synthesis algorithms for finite state 
deterministic LTSs have been studied in |43) and citations thereof. In such a 
context of course strong and weak solutions are the same. Symbolic (OBDD 
based) control synthesis algorithms for finite state nondeterministic LTSs 
have been studied in |14j in a universal planning setting. In such a context 
strong and weak solutions in general differ. 

To compute strong solutions, we implemented a variant of the algorithm 
in [H] in function strongCtr. In our variant, a strong controller for the 
given LTS control problem is always returned, even if it is not possible to 
entirely control the given initial region (see Sect. 16. ip . More precisely, it 
returns the strong mgo (see Def. Hj), i.e. the unique strong solution K to a. 
control problem {S, I, G) that, disallowing as few actions as possible, drives 
as many states as possible to a state in G along a shortest path. For the sake 
of completeness, we show the resulting algorithm in Alg. HI 

Analogously, function existsWeakCtr exploits the algorithm in |l3] to 
verify the existence of weak solutions. Function existsWeakCtr is shown in 
Alg.E 

Correctness of function strongCtr in Alg. |l]is proved in Prop. [T21 

Proposition 12. Let S = {S, A, T) he an LTS and V = {S, /, G) be an LTS 
control problem. Then, strongCtr (S, I, G) returns {b,D,K) s.t. K is the 
strong mgo for {S,0,G), D = Dom(/^) and b is TRUE iff K is the strong 
mgo for V. 
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Algorithm 4 Building a strong mgo for an LTS control problem 
Input: An LTS control problem (5, 1,G), S = {S, A, T). 

1. strongCtr{S,I,G) 

2. K{s,a) ^ 0, D{s) ^ G{s), D{s) ^ 

3. while D{s) ^ D{s) do 

4. F(s, a) ^ 3s' T{s, a, s') A \/s' [T{s, a, s') => D{s')] 

5. K{s, a) <- K{s, a) V (F(s, a) A ^a K{s, a)) 

6. D{s)^ D{s), D{s) ^ D{s)y3aK{s,a) 

7. return (Vs [/(s) ^ 3a K{s, a)], 3a i^(s, a),K{s, a)) 



Proof. We observe that during a generic iteration i the set of states 
{s I 3a F{s,a)} is exactly the set of states F, and {s \ D{s)} is exactly 
the set of states Di considered in the proof of Prop. |2] in App. IA.2I As a 
consequence, the thesis holds by the proof of Prop. [2j 

n 

Algorithm 5 Existence of LTS control problem weak solutions 
Input: An LTS control problem (5, /, G), S = {S, A, T). 

1. existsWeakCtiiS,I,G) 

2. K{s,a) ^ 0, D{s) ^ G{s), D{s) ^ 

3. while D{s) ^ D{s) do 

4. F{s,a)^3s' [T{s,a,s')AD{s')] 

5. K{s, a) ^ K{s, a) V (F(s, a) A ^a K{s, a)) 

6. if Vs [I{s) =^ 3a K{s, a)] then 

7. return TRUE 

8. D{s) ^ D{s), D{s) ^ D{s) V 3a K{s, a) 

9. return False 

Correctness of function existsWeakCtr in Alg. [5] may be proved analo- 
gously to Prop. 



Proposition 13. Let S = (S, A,T) be an LTS and V = (S, I, G) he an LTS 

control problem. Then, existsWeakCtr (S , /, G) returns TRUE iff there exists 
a weak mgo for V. 
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A. 4 Undecidability of DTLHS Quantized Feedback Con- 
trol Problem 

In this section we prove the undecidabihty of the DTLHS quantized feedback 
control problem, i.e. that existence of QFC strong and weak solutions to a 
DTLHS quantized control problem is undecidable (Theor. [3]). Along the 
same lines of similar undecidability proofs |23], we first show that a two- 
counter machine M can be encoded as a DTLHS Hm without inputs in 
such a way that M halts if and only if I-Lm reaches a goal region. This 
immediately implies that DTLHS reachability is undecidable. Since T-Lm 
has no controllable actions, existence of a weak controller is equivalent to a 
reachability problem, thus it is undecidable. For the same reason, actions 
enabled by any controller for T-Lm do not depend on real valued variables. 
As a consequence, a quantized weak control problem on T-Lm is equivalent 
to a DTLHS control problem on I-Lm- Since weak solutions to deterministic 
LTS control problems are also strong solutions, and being "Ha/ deterministic, 
existence of a strong solution to a DTLHS (quantized) control problem is 
undecidable. 

A. 4.1 Two-Counter Machines 



A two-counter machine [2S] M consists of two counters that store unbounded 
natural numbers and a finite control that is a finite sequence of statements 
(1 : stmti, . . . ,n : stmtn), where stmt ::= inc(z) k \ dec(z) k \ beq i k \ 
halt, with i G {0, 1}. Computations start from the statement labeled 1. 
The execution of j : inc(z) k increments the counter i, and the execution of 
j : dec(i) k decrements the counter i, leaving it unchanged if it is 0. In both 
cases, execution continues to the statement labeled k. If the counter i is 0, the 
execution of j : beq i k causes a jump to the statement labeled k. Otherwise, 
the statement labeled j + 1 will be executed. Finally, the execution stops if 
a halt statement is executed. The halting problem for two-counter machine 
is undecidable. 

Lemma 14. For any two-counter machine M , there exist a hounded and 
deterministic DTLHS I-Lm! o-nd two predicates I and G such that M halts if 
and only G is reachable from I in I-Lm ■ 

Proof. Let M be a two-counter machine and let T-Lm be the DTLHS (X, U , 
Y, N), where X^ = {xo,Xi}, X'^ = {l,g}, and U = Y = 0. Since we are 
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dealing with bounded DTLHSs, we use two real variables Xq and Xi to encode 
values stored in counters. Each natural number n is encoded by the rational 
number ^. Variables Xi are both bounded by the predicate < Xj < 1. A 
discrete variable / stores the label of the statement currently under execution 
and it is bounded by < / < n, where n is the number of statements in M 
finite control. Finally, the boolean variable g encodes termination of the 
computation of M. The transition relation A^ encodes the execution of the 
control program. Let U{X, X') be the predicate Axex x' = x. A program 
(1 : stmti, . . . ,n : stmtn) is encoded by the predicate A^ = /\"^-^|j : stmtjj, 
where: 

[j:dec(^)A;] = (/ ^ j) V (((x, = 1) V (x^ 2a;,)) A 

A {{xi 7^ 1) V (x^, = 1)) A 

A{l' = k) A U{xi_i,g)) 
lj:\nc{z)kj ^ (/^j)V((xHf)A 

A{l' = k) A U{xi.i,g)) 
lj:heqtkj ^ (/ ^ j) V (((x. 7^ 1) V (/' = A;)) A 

A ((xi = l)V (/' = / + !)) A 

AU{xi^i,g)) 
|j:haltl = (/^j)v((/'=j)A 

A((?' = l)Af/(xo,Xi)) 

We observe that we use negation as syntactic sugar to improve readability. 
Indeed, since Xj can assume only values of the form ^ for some n E N, the 
condition Xj 7^ 1 can be replaced by the constraint Xj < |. Moreover, since 
/ is a discrete variable, the condition / 7^ j can be can be replaced by the 
predicate {I < j - 1) V (/ > j + 1). 

It is possible to check that A^({/, ^, ^, g}, e, {/', ^, ^, g'}) if and only 
if after executing the statement labeled / with n and m as counter values, 
M will execute the statement labeled /' with n' and m' as counter values. 
Moreover ii g = 0, g' will be 1 if and only if the statement labeled / is an halt 
statement. 

Let / be the predicate J = / = 1A5' = and G the predicate g = 1. G is 
reachable from / in I-Lm if and only if the computation of M terminates. 

Finally, we have to show that A^ can be written as a conjunctive predicate. 
Any predicate P{X) can be written as an equivalent DNF ViLi A^i ^iji.-^)^ 
where Cij{X) are constraints. By introducing n fresh boolean auxiliary vari- 
ables Zi,...,Zn this is equivalent to t\i^^{zi -)■ /\J!!^ Cij{X)) A Yh=i ^i > 1^ 
which in turn is equivalent AiLi AT=ii^i ~^ ^iji-^)) ^ Yl^=i -^j > 1- Being A^ 

52 



bounded, by Prop. [T] this can be transformed into a conjunctive predicate. 
For example: 

|j : halt] = {zj^i -^{l>3 + 1)) A (2,, 2 ^ (/ < J - 1)) A 
A (^,-3 ^ (/' = j)) A (2;,- 3 -^ {g' = 1)) A 
A {zj;i -^ {x'q = Xo)) a (Zj- 3 ^ K = Xi)) A 

A Ell H^ > 1 

n 

Note that Lemma [H] immediately implies undecidability for the DTLHS 
reachability problem, i.e. it is undecidable if there exists a path from a 
DTLHS state in a region J to a DTLHS state in a region G. 

Proposition 15. Existence of strong and weak solutions to a bounded 
DTLHS control problem is undecidable. 

Proof. For any two-counter machine M, the DTLHS TIm has no controllable 
actions. Let K be the controller that enables all actions, i.e. such that Vx G 
Vx K{x,e) holds, i^ is a weak solution to the control problem {I-Lm^IiG) 
if and only if G is reachable from I (observe that states in G are controlled 
by K). Moreover, since the transition relation of "Hm is deterministic, K is 
a weak solution to ("Ha/? I ^ G) if and only if it is a strong solution. D 

Theorem 3. The DTLHS quantized control problem is undecidable. 

Proof. The controller K cosidered in the proof of Theorem [15] is a quantized 
controller. Indeed, for any quantization Q = {A, F), let K be the defined by 
Vx G T{Ax) K{x, e). We have that K{x, e) = K{T{x), e). D 

A. 5 Undecidability of Self Loops Eliminability 

In this section we prove Prop. HI In order to do this, we introduce non- 
deterministic two-counter machines [3] [NDTCM in the following). W.r.t. 
the deterministic definition given in Sect. HI we modify inc [dec] statement 
as follows: inc(i) ki /c2 [dec(i) ki /C2] increments [decrements] counter i and 
then nondeterministically continues its execution at label ki or k2- A run 
p = (Zq, t'oo, ^lo); • • • ) {h, Voi, Vii), ... on a NDTCM M with finite control 
(1 : stmti, . . . ,n : stmtn) is a sequence of configurations (Zj, Vqi, Vu) s.t. /q = 1 
and: 
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• for alH > 0, 1 < Zj < n is a label and Vji is the value of counter j; 

• for all z > 0, (/j+i, t'o,j+i) ^'i,j+i) is a possible result of executing state- 
ment at label li with register values Vqi^Vu. Namely: 

— if the statement at label /j is inc(j) ki k2 [dec(j) ki k2\ then /j+i G 
{ki,k2}, Vj^i+i = Vji + 1 [vj^i+i = max{vji - 1,0}] and Vi_j^i+i = 

— if the statement at label li is beq j k then Zj+i is k if Vji = and 
is /j + 1 otherwise, and t'^^j+i = %j for 6 = 0, 1; 

— if the statement at label /j is halt then p = [Iq, vqq, fio), • • • , (h, 
Voi, Vii) has finite length i. 

Note that a (deterministic) two-counter machine as defined in Sect. H] 
is a NDTCM where, for all statements inc(i) ki /c2, we have ki = k2 (and 
analogously for dec statements). Thus, from undecidability of two-counter 
machines halting problem, it is easy to show that it is undecidable whether 
there exists an infinite run p = [Iq, Vqq, fio), . . . , [h, Voi, Vu), ... on a NDTCM. 

Proposition 4. Given a DTLHS H and a quantization Q, it is undecidable 
to state if a self loop is non-eliminable. 

Proof Let M be a NDTCM. We encode M in a DTLHS Hm = (X, U, Y, 
N), where X"" = {xo,Xi,/}, X'^ = {g}, and f/ = F = 0. N = (Vj=i ^ = 
j) A (V?=i ^' — j) ^ Afcili • stmtjj is defined as in proof of Lemma [T^ with 
the following differences: 

|j : dec(^) ki k2J = H^ j) V {{{Xi = 1) V (x^ = 2x,)) A 

A ((x, ^ 1) V {x[ = 1)) A 
A (/' = /ci V /' = /ca) A f/(xi„i,^)) 

[j : inc(z) fci M = (/^j)V((x^ = f)A 

A (/' = kiW I' = ki) A f/(xi„i, g)) 

Let Q = {A, r) be the quantization defined as follows: A^^ = A^^ = 
[0,1], A = [l,ri], A, = B = {0,1}, Ay = {0}, 7xo(^) = l^A^) = ni^) = 
1. Note that we have only two abstract states: {xQ,Xi,l,g) = (1,1,1,0) 
and {xo,xi, i,g) = (1,1,1,1). Then, the self loop ((1, 1, 1, 0), 0, (1, 1, 1, 0)) 
is non-eliminable iff there exists an infinite run on M. Being the latter an 
undecidable problem, we cannot decide if a self loop is eliminable or non- 
eliminable. 

D 
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A. 6 Control Abstraction Properties 

In this section we give proofs about control abstraction properties. 

Fact 5. Let Mi = {S,B,Ti) and M2 = {S,B,T2) be two admissible Q 
control abstractions of a DTLHS Ti, with Q = (A, F) quantization for Ti. 
ThenWx,x' E S s. t. x^ x' , Va G i? [Ti(a;, a, £') <^ T2(a;, a, x')]. The same 
holds if M.i,A4.2 are full Q control abstractions. 

Proof. Let x ^ x' E S,a E B he such that Ti{x,a,x') holds. If A^i is 
an admissible Q control abstraction, this implies, by point [1] of Def. [TH 
that a is A-admissible in x. From point [1] of Def. [13] (for the admissible 
control abstraction case) or Def. [T3] of full control abstraction (for the full 
control abstraction case), and from Ti{x, a, x') follows that 3x G F~^(x) 3x' G 
F~^(x') 3a G F~^(a) 3y N{x, a, y, x'). By point [2] of Def. [13] this implies that 
T2(a;, d,x') holds. 

The same reasoning may be applied to prove the other implication. 

D 

Fact 6. Given a DTLHS % and a quantization Q, the set (C(7{, Q), ^) of Q 
control abstractions of Ti is a lattice. Moreover, the set of admissible [full] 
Q control abstractions ofH [CaiH, Q), ^) /(€/(?{, Q), ^)] is a lattice. 

Proof. By conditions [2] and [3] of Def. [13] all control abstractions do contain 
all admissible actions that have a concrete witness and all non-eliminable 
self-loops. 

As a consequence, if S is the set of eliminable self-loops and U is the set 
of non admissible actions, then {C{'H, Q), ^) is isomorphic to the complete 
lattice (2^^^,C). 

Analogously, both {Qa{%, Q), ^) and {Cf{'H, Q), C) are isomorphic to the 
complete lattice (2*^, C). 

D 

Theorem 8. Let H = {X, U, Y, N) be a DTLHS, Q = {A, F) be a quantiza- 
tion for Ti, and {Ti, I , G) be a control problem. 

1. IfH is an admissible Q control abstraction and K is a strong solution to 
the LTS control problem {'H, F(J), F(G)) then K{x, u) = K(r{x), F(m)) 
is a Q QFG strong solution to the DTLHS control problem ("H, J, G). 
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2. 1/1^1,1^2 di"^ two admissibile Q control abstractions ofH s.t. T-ii C 7^2? 
and K is a strong solution to the LTS control problem (7^2, r(/), r{G)), 
then K is a strong solution to the LTS control problem [Hi, T{I), r(G)). 

3. IfH is a full Q control abstraction and the LTS control problem {%, 
r(/), r(G')) does not have a weak solution then there exists no Q 
QFC (weak as well as strong) solution to the DTLHS control problem 

4- // 7^1, 7^2 (11"^ two full Q control abstractions of Ti s.t. Hi C 7^2? (I'^d 
K is a weak solution to the LTS control problem {Tii, T{I), r{G)), then 
K is a weak solution to the LTS control problem (7^2, r(J), r(G')). 

Proof. The idea underlying the proof is that two different admissible control 
abstractions, with the same quantization, have the same loop free structure, 
i.e. the same arcs except from self loops, as proved by Prop. 13 For ease 
of notation, given a state x (resp. an action u) we will often denote the 
corresponding abstract state T{x) (resp. action T{u)) with x (resp. u). 
Analogously, we will often write I (resp. G) for T{I) (resp. r(G)). In the 
following, V={n,I,G),V= (7i, r(J), r(G)), and n = iT{Ax), T{Au), N). 

Proof of point [1] Applying the definition of solution to a DTLHS control 
problem (Def. [TOl) . we have to show that if K is a strong solution to the LTS 
control problem (7^,/, G), then K defined by K{x,u) = K{x,u) is a strong 
solution to the LTS control problem (LTS(7/), /, i3||r||(G')). 

Note that, since H is an admissible control abstraction, it contains ad- 
missible actions only. This implies that all actions enabled by if in x are 
Q-admissible in x. Hence, we have that all actions enabled by if in a; are 
A-admissible in x. Together with point [2]of Def. [TBI this implies that, for any 
transition (x,u,x') of LTS(7/)*-^'' such that x ^ x', (x,u,x') is a (abstract) 
transition of l-i^^\ 

First of all, we prove that / C Dom(ii'). Given a state x G /, we have 
that X G /. Since K is a strong solution to P, we have that / C Dom(/i'), 
thus X G Dom(i^). Hence, there exists u G T{Au), such that K[x,u) holds. 
By definition of K., we have that for all u G T~^{u) and for all x G T~^{x) 
K{x,u) holds, which means that x G Dom(K). 

Now, we prove that for all x G Dom{K), Jstrong(LTS(7/)(-^),;B|[r||(G'), x) 
is finite. Let us suppose by absurd that Jstrong(LTS(7{)'''^\ ;B||r||(G),x) = oo. 
This implies that one of the two following holds: 
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1. there exists a finite fullpath vr = xqUqXiUi . . . XnUn in LTS('H)^'^^ such 
that xq = X, Adm(LTS('H)*-^'',x„) = and, for all i E [n], xi ^ 
S||r||(G); 

2. there exists an infinite fullpath tt = xqUqXiUi . . . XnUn ... in LTS('H)'-^^ 
such that xq = X and, for all i G N, Xj ^ B\\Y\\iG). 

Let us deal with the finite fullpath case first (point [1] above). Let n = 
XqUq . . . Un-iXn, and let p be defined from fr by collapsing all consecutive 
equal (abstract) states into one state. Formally, \p\ = maxjg[„] k{i) and 
p{i) = Ti^^\k{i)) = T{'iT^^\k{i))), where the function /c : N — > N is recursively 
defined as follows: 

• let Z^ = {j \ z < j < n A T{xj) ^ V{x:,)} 

• A;(0) = 

1^ minZfc(j) otherwise 

By the fact (proved above) that if {x,u,x') is a transition of LTS('H)^^^ 
with X 7^ x', then {x,u,x') is a transition of 'H^^\ we have that p is a run 
of 'H^^\ Let m = \p\ = maxjg[„] /c(i). Since K is a strong solution to P 
and X G Dom(/f), we have that Xm G Dom(i^). This implies that there ex- 
ists u G r(y4f/) s.t. K{xm,u), thus that there exists u G Adui{'H^^\xm)- 
Thus by property [2] of Def. [14] (and since x„ G r~^(xm)) we have that 
Adm(LTS('H)'''^\ x„,) ^ T^^{u) ^ 0, which implies that vr cannot be a fi- 
nite fullpath. 

As for the infinite fullpath case (point [2] above), we observe that in tt we 
cannot have an infinite sequence XkUkXk+iUk+i ■ ■ ■ such that for all j > k, 
T{xj) = r(xfc) and T{uj) = T{uk). In fact, suppose by absurd that this is 
true, and let k be the least k for which this happens. Then {xk,Uk,S:k) is a 
non-eliminable self loop. Since Xj ^ i3||r|| (G) for all j > k, and thus Xj ^ G for 
all j > k, we also have that Jstrong('H^^\ G,Xk) = oo- By applying the same 
reasoning used for the finite fullpath case, we have that there is a path in "H^^^ 
leading from x to Xk, which implies that Jstrongi'H^^^\ G , x) = oo. Finally, 
this contradicts the fact that i^ is a strong solution to P and x G Dom.{K). 

Thanks to this fact, from a given infinite fullpath vr = XoUqXiUi . . . XnUn ■ ■ ■ 
of LTS('H)^^^'' with Xq = X, we can extract an infinite abstract fullpath p s.t. 
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p{i) = T(iT^^\k{i))), where the function /;; : N — > N is recursively defined as 
follows: 

• A;(0) = 

• k{i + 1) = min{j | k{i) <j A T{xj) ^ T{xk{i))}- 

By the fact (proved above) that if {x,u,x') is a transition of LTS('H)*-^^ 
with X 7^ x', then (x, u, x') is a transition of 'H^^\ we have that p is a run of 
'H^^\ Moreover, since for all i E N Xi ^ ;B||r||(G'), then we have that for all 
i G N Xfc(j) ^ G. This contradicts the fact that K is a strong solution to P 
and X G Dom(i^). 

Proof of point [2 Let Hi = {T{Ax), T{Au), T^) and 7^2 = {T{Ax),T{Au), 
T2) be two admissible Q control abstractions of?/, with l-ii C 7^2- If "Hi = 7^2 
the thesis is proved, thus let us suppose that l-ii ^ 7/2- By Fact [5l the 
only difference between Hi and 7^2 may be in a finite number of (elim- 
inable) self loops which are in 7^2 only. That is, there exists a transitions set 
B = {(xi, Ml, Xi), . . . , {xm, Um, Xm)} s.t. for all (xj, Mj, Xj) G -B we have that 
Ti(xj,'Uj,Xj) = AT2{xi,Ui,Xi) = 1, and for all (x,^, x') G r(ylx) x T{Au) x 
r{Ax) we have that if (x, u, x') ^ B then Ti(x, u, x) = T2(x, u, x). Let i^ be 
the strong mgo to the LTS control problem (7^2, 1, G) and let (xj, Ui, Xj) G -B. 

Note that if Xj ^ G and K{xi, Ui) then Jstrong('^2 , G, Xj) = 00 since there 

exists a 7r G Path(7^2 ; ^«) ^«) s-t. Ti:^^\t) = Xj and ii^^^t) = Ui for all t G N. 
As a consequence, if Xj ^ G then K{xi,Ui) does not hold. Moreover, suppose 
that Xj G G. Since (xi,'Ui,Xi) is an eliminable self loop of 7^2 and being 7^2 
an admissible Q control abstraction, then there exists a state x' 7^ Xj such 
that T2(xj,'Uj,x'). 

We are now ready to prove the thesis. Since we already know that I C 
Dom(ir), we only have to prove that i) fC is a controller for 7^1 and that ii) 

<^strong('Hi ,G, x) < 00 for all X G Dom(i^). 

As for the first point, we have to show that K{x,u) implies u G 
Adm(7/i,x) (Def. [3]). Suppose by absurd that u ^ Adm(7/i,x) for some 
x,u. Since K{x,u) implies u G Adm(7^25 5;), we have that (x, -u, x) G B. If 
X ^ G then -ft'(x, m) = 0, which is false by hypothesis. If x G G, then there 
exists a state x' 7^ x such that T2(x, m, x'). Thus, Ti(x, u, x') holds by Fact [5] 
and we have u G Adm(7/i,x), which is absurd. 
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As for the second one, it is sufficient to prove that Jstrong('H-[ ,G,x) = 
</strong(^2 ,G,x). This Can be proved by induction on the value of 

•-'strong (, '1-2 ,w,XJ. 

Suppose Jstrong('H2 ,G,x) = 1. Then, ^ Img(?^^2 \^i^) ^ G for 
all u s.t. K{x,u). If for all u s.t. K{x,u) there exists a state x! ^ x 

s.t. x' G Img(?^2 5^5''^)! then we have that x' G Inig('H^ ,x, m) by 
Fact [5l and since 7^ Img(?^j^ \x^u) C Img(7^2 ;^)^) C G we have that 
</strong('^i , G, x) = 1 = Jstrong('H2 \G,x). Otherwise, let u be s.t. K{x,u) 
and T2(x,'U,x') —> x' = x. Note that this implies x G G. If (x, 'U,x) ^ -B, 

then Ti(x,u,x) thus Jstrong('Hi ,(j, x) = 1 = Jstrong(^2 \G,x). The other 
case, i.e. (x, u, x) G B, is impossible since, by the reasoning above and being 
X G G, it would imply that there exists a state x' 7^ x such that T2(x, u, x'). 

Suppose now that for all x s.t. •/strong('^2 \^^^) = ''^j 

-^strong('Hi ,G, x) = Jstrong('H2 ,G, x). Let X G Dom(i^) be s.t. 

-^strong('^2 , G, x) = 77. + 1. If (x, u, x) ^ B for any u, then Img(?i2 ; ^i, u) = 

Img(?i|^ ,^, m) for all u, thus Jstrong('Hi ,G,x) = Jstrong('H2 , G, x) by in- 
duction hypothesis. Otherwise, let (x, m, x) G 5 for some u. By the rea- 
soning above, if x ^ G then K{x,u) = 0, and again Jstrong('Hj^ \G,x) = 
•/strong ("^2 , G, x) by iuductiou hypothesis. If x G G, then there exists a state 
x' 7^ X such that T2(x,'U,x') (and Ti(x, 'u,x')). Being Jstrong('H2 ,G, x) = 
n + 1, we must have Jstrong('^2 , G, x') < n, thus again Jstrongl'Hi , G, x) = 
•/strong ("^2 , G, x) by iuductiou hypothesis. 

Finally, note that in general K is not optimal for [Hi, I, G). As a coun- 
terexample, consider the control abstractions 'H2 = ({0, 1, 2}, {0, 1}, {(0, 0, 
2), (0, 0, 0), (0, 1, 1), (1, 1, 2), (2,0, 2)}) and K, = ({0, 1, 2}, {0, 1}, {(0, 
0, 2), (0, 1, 1), (1, 1, 2), (2, 0, 2)}), with / = {0, 1, 2} and G = {2}. We have 
that the strong mgo for ?^2 is K2 = {(0, 1), (1, 1), (2, 0)}, whilest the strong 
mgo for n, is k, = {(0,0), (1,1), (2,0)}, with Jstrong(^f '\ G, 0) = 1 and 

JstTong[Hl ) G, 0) = •-'strong (rt 2 ; G, 0) = 2. 

Proof of point [3] Applying the definition of DTLHS control problem 
(Def. [TU]) . we will show that if /T is a weak solution to the LTS control 
problem (LTS('H), /, i3||r||(G)), and Ti is any full Q control abstraction of Ti 
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then there exists a weak solution K to the control problem (?^, /, G). 

Let us define, for x G T{Ax) and u G T{Ai!), K{x,u) = 3x G r~^{x) 
3u G r~^[u) K{x,u). We show that K is a weak solution to any full Q 
control abstraction of Ti. 

Let ?^ be a full Q control abstraction of "H. First of all, we show that K is a 
controller for 'H (Def. [2]), i.e. that K{x,u) implies u G Adm(7^,a;). Suppose 
K[x,u) holds: this implies that there exist x G r^^{x),u G r^^(n) s.t. 
K(x,u) and u G Adm('H,x). If there exists x' G Ax s.t. x' G Img('H,x, m) 
and x' 7^ x, then, being ?^ a full Q control abstraction of "H, we have that 
(x, «,£') is a transition of ?^, thus u G Adm(?^,x). Otherwise, one of the 
following must hold: 

• ling{'H,x,u) = 0, which is impossible since K{x,u); 

• for all x' G Ax s.t. x' G Img('H,x, m), we have that either x' ^ Ax 
or x' = X. Being K a weak controller for ^H defined only on Ax x Au 
(i.e., K{x,u) implies x G Ax and u G ^(7), and given that K{x,u) 
holds, we must have that there exists x' G Ax s.t. x' G Img('H,x,u) 
and £' = x. If x = x', then there exists an infinite path inside r~^{x) 
with actions in r~^{u), i.e. (£,m,x) is a non-eliminable self loop. This 
implies that N{x,u,x) holds, thus u G Adm(?^,x). Otherwise, i.e. if 
X 7^ x', then we whole reasoning may be applied to x'. Then, either 
we arrive to a state t ^ r~^{x) starting from a state in r~^(x), and 
N{x,u,t) implies u G Adm(?^,x), or we have an infinite path inside 
r"^(x) via r~^{u) , thus {x,u,x) is a non-eliminable self loop and 
N{x,u,x) implies u G Adm(?^,x). 

We now have to prove that K is a weak solution to "H, being H a full 
Q control abstraction of "H. First of all, we show that / C Dom(i^). Given 
X G /, we have that there exists x G r~^(x) such that x G /. Since K is a 
weak solution to V, there exists u G Ajj s.t. K{x,u), thus by definition of 
K, K{x,u) holds, and hence x G DoTa{K). 

Now, we show that for all x G Dom(i^), Jwcak{'H^^\G,x) is finite. By 
definition of K, and since K is a weak solution to V, there exists a finite path 
n = xqUoXiUi . . .Un-iXn such that xo G r"^(x), Xj G Ax for all < i < n 
and Xn G i3||r||(G). 

Let vr = xqWo . . . Un-iXn, and let p be defined from vr by collapsing all con- 
secutive equal (abstract) states into one state. Formally, |p| = maxjg[„] k{i) 
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and p{i) = 7i^^\k{i)) = T{7i^^\k{i))), where the function /;; : N — )■ N is 
recursively defined as follows: 

• \etZ, = {j\z<j<nA T{x,) ^ r(x,)} 

• k{0) = 



[^ min Zk{i) otherwise 



In a full Q control abstraction H, if {x, u, x') is transition of LTS('H) and 
X 7^ x', then N(x,u,x'). Then we have that p is a finite path in T-L^^^ that 
leads from xq = a; to the goal. As a consequence, i^ is a weak solution to V. 

Proof of point |4] Analogously to the proof of point [21 let iii = {T{Ax), 
r(A(/), Ti) and 7^2 = (r(Ax), T{Au), T2) be two full Q control abstractions 
of H, with l-ii C 7^2- If 7^1 = 7^2 the thesis is proved, thus let us suppose 
that l-ii 7^ 'H2- By Fact [5l the only difference between l-Li and 7^2 may 
be in a finite number of eliminable self loops which are in 7^2 only. Let 
B = {{xi, Ui, Xi), . . . , {Xm, Urni ^m)} be the set of such self loops. Let K be 
the weak mgo to the LTS control problem (7^i, /, G) and let {xi,Ui,Xi) G B. 
Since we already know that I C Dom(i^), we only have to prove that i) K 

is a controller for 'H2 and that ii) Jwcak(^2 ? G*, £) < 00 for all x E Dom(K). 

As for the first point, we have to show that K{x,u) implies u G 
Adm(7^2,£} (Def. [3]). Since K{x,u) implies u G Adm(7^i,x), and since 
u G Adm(7^i,x) implies u G Adm(7^2,a^), this point is proved. 

As for the second one, it is sufficient to prove that J„cak(^2 \G,x) < 
</wcak(7^i ,G,x). This can be proved by induction on the value of 

•-'weakl, 'l-l ,tj,Xj. 

Suppose Jweak(7i!i ,G,x) = 1. Then, Img(7^J \x,u) f] G ^ for 
all u s.t. K[x^u). Since 7^2 only adds self loops to 7^i, we have that 

Img(7l!2 ,x,{i) flG 7^ for all u s.t. K{x,u), thus Jwcak('^2 jG*, £) = 

i ^ t^wcakl'i-i ,Cj,a;j. 

Suppose now that for all x s.t. Jwcak(7^i \G,x) = n, J„eak(7^2 iG,x) < 

Jweak{H\ \G,x). Let X be s.t. Jwcak('Hi \G,x) = n + 1. If (x,-?!, x) ^ 

B for any m, then Img(7i^j \x,u) = Img(7^2 \S:,u) for all m, thus 
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</wcak('H2 ,G, x) < Jwcaki'Hi \G,x) by induction hypothesis. Otherwise, 
let (£, u,x)eB for some u. li x ^ G we simply have that Jwcak('^2 \G,x) < 

■JwcsikCHi ,G,x) by induction hypothesis. Otherwise, ii x E G, let Ki 

be s.t. Ki{x,u) = and Ki{s,a) = K{s,a) for (s, a) 7^ (£,n). Then, 

JweakCfci, G, x) = max{l, Jwcak('Hi % G,x)} < Jwcak('Hi \ G, £')> thus the 
thesis is proved. 

n 

A. 7 Function selfLoop correctness 

Proposition 11. LetU = {X, U, Y, N) be a DTLHS, Q = {A, T) be a quan- 
tization for Ti, X E r{Ax), and u E T{Au). If the abstract self loop (£, u, x) 
has a concrete witness and selfLoop{'H, Q, x, u) returns FALSE, then (x, m, x) 
is an eliminable self loop. 

Proof. Suppose by absurd that the abstract self loop (£, n, x) has a concrete 
witness, selfLoopiTi, Q,x,u) returns False, and {x,u,x) is a non-eliminable 
self loop. Then there exists an infinite run vr = XoUqXiUi . . . such that for all 
tEN XtE r-i(x) and Ut E T~^iu). 

For i E [\X\], let Wi < Wi be the values computed in lines[3]and[S]of Alg. 121 
i.e. Wi = optimalValue (min, x'^ - Xi, N{X, U, Y, X') A T{X) = x A T{U) = 
uAT{X') = x) and Wi = optimalValue (max, x'i-Xi, N{X, U, Y, X')AT{X) = 
xAT{U) = uAT{X') = x). 

Since selfLoop{'H, Q, x, u) returns FALSE, there exists at least an index 
j E [\X\] such that Wj > Q 01 Wj <Q (see lines H and E] of Alg. Elresp.). Let 
us consider the former case (note that Wj > implies Wj > 0). 

For all k E N, we have that \{xk)j — (xo)j| = (xfc)j — {xo)j > kwj. If we 
take k > ''■' , we have that \{x^)j — {xo)j\ > ||7a; || and hence x^ cannot 
belong to r~^(x). 

Analogously, if Wj << Wj < then we have that \{xk)j — {xo)j\ = 

{xo)j — {xk)j > kwj. If we take k > —^^, we have that |(x^)j — (xo)j| > ||7x || 
and hence xj, cannot belong to r~^(a;). 

In both cases we have a contradiction, thus the thesis is proved. 

D 
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A. 8 Functions minCtrAbs and uiinFullCtrAbs correct- 
ness 

Proposition 10. Let U = {X,U,Y,N) be a DTLHS and Q = {A,T) be a 
quantization for "H. 

// A^ is the transition relation computed by minCtrAbs (H, Q) then Ti = 
(r{Ax),T{Au),N) is an admissible Q control abstraction ofH. 

If N is the transition relation computed by iiiinFuUCtrAbsf'H, Q) then 
"H = (r{Ax),T{Au),N) is a full Q control abstraction ofH. 

Proof. Here we prove only the part regarding function minCtrAbs., since 
tlie otlier part may be proved analogously. We first show that the control 
abstraction H = (r{Ax), T{Au), N) satisfies conditions [T]-[2] of Def. [T31 

1. Each transition (x, u, x') is added to A^ in line O or in line [H] of Alg. |2J 
In both cases, it has been checked by function existsTrans that 3a; e 
r~^(a;), u G T~^{u), x' e r~^(a;'), y G Ay such that N{x,u,y,x') (in 
the latter case the check is inside function selfLoop). 

2. Let x,s' G Ax and u G Au be such that 3y N{x,u,y,x') and r(a;) ^ 
r{x'). Since minCtrAbs examines all tuples in r{Ax) x r{Au) x r(Ax), 
it will eventually examine the tuple {x,ii,x') s.t. x = T{x), u = T{u), 
and x' = r(x'). If u is not Q-admissible in x no transition is added 
to A^ because of the check in line |H Otherwise, since 3y N{x, u, y, x') 
holds, existsTrans{x , u, x') returns TRUE and the transition (x, 'U,a;') 
is added to N in line [9] of Alg. H 

3. Note that condition |3] of Def. [TSlmav be rephrased as follows: ii{x,u,x) 
is a non-eliminable self loop, then A^(x, m, x) must hold. That is, if 
N{x, u,x) =0 then either there is not a concrete witness for the self 
loop {x,u,x), or {x,u,x) is an eliminable self loop. This is exactly 
the case for which function selfLoop{'H, Q, x, u) returns FALSE (resp. 
by line [1] of Alg. |3] and by Prop. [TT]) . Since a self loop (x,{i, £) is 
not added to A^ only if selfLoop{'H, Q, x, u) returns False in line [5] of 
Alg. [21 and since function selfLoop{'H, Q, x, u) is eventually invoked for 
all X G T{Ax) and u G T[Au)., the thesis is proved. 

D 
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B Details about the Experiments 

In this section we give (Tab. [3]) all details about MILP problems arising in 
our experiments of Sect. [8l Namely, in Tab. [3] MILPi has the same mean- 
ing as in Sect. 18.2.11 i.e. MILPl refers to the MILP problems described in 
Sect. 16.31 i.e. those computing the quantization for / and G, MILP2 refers 
to MILP problems in function SelfLoop (see Alg. [3]), MILP3 refers to the 
MILP problems used in function overling (line [6] of Alg. [2]), MILP4 refers 
to MILP problems used to check actions admissibility (line [8] of Alg. [2]), and 
MILP5 refers to MILP problems used to check transitions witnesses (line H] 
of Alg. 12]). In Tab. |2] columns b, Num, Avg and Tot are the same as columns 
b, Num, Avg and Time of Tab. [2] thus b shows the number of AD bits, Num 
is the number of times that the MILP problem of the given type is called. 
Tot is the total CPU time needed to solve all the Num instances of MILP 
problem of the given type, and Avg is the ratio between Tot and Num,. In 
Tab. [3] we also show in columns Min and Max the average, minimum and 
maximum time to solve one MILP problem of the given type. The standard 
deviation for such statistics is given in column DevStd. 



C From Boolean Relations to Control Software 

In this section we give more details about how we obtain our control software, 
starting from a strong nigo K{x, u) (see Sect. [7]). To this aim, we follow the 
exposition given in [32]. Further details are in |31] . 

C.l Basic Definitions 

In the following, we will denote boolean functions / : B" ^^ B with boolean 
expressions on boolean variables involving + (logical OR), ■ (logical AND, 
usually omitted thus xy = x ■ y),^ (logical complementation) and © (logical 
XOR). We will also denote vectors of boolean variables in boldface, e.g. x = 
{xi, . . . ,Xn)- Moreover, we also denote with f\xi=g{x) the boolean function 
f{xi, . . . ,Xi-i,g{x),Xi+i, . . . ,Xn) and with 3xi f{x) the boolean function 
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Table 3: Complete statistics for Tab. [2] of Sect. E 




MILPl 


b 


Num 


Tot 


Avg 


Min 


Max 


DevStd 


8 


6.55e+04 


4.61e+00 


7.03e-05 


O.OOe+00 


l.OOe-02 


8.35e-04 


9 


2.62e+05 


1.84e+01 


7.02e-05 


O.OOe+00 


l.OOe-02 


8.35e-04 


10 


1.05e+06 


2.79e+02 


2.66e-04 


O.OOe+00 


l.OOe-02 


1.61e-03 


11 


4.19e+06 


9.65e+02 


2.30e-04 


O.OOe+00 


l.OOe-02 


1.50e-03 


MILP2 


b 


Num 


Tot 


Avg 


Min 


Max 


DevStd 


8 


3.99e+05 


3.25e+02 


1.52e-03 


O.OOe+00 


l.OOe-02 


4.39e-03 


9 


1.59e+06 


1.12e+03 


1.41e-03 


O.OOe+00 


l.OOe-02 


4.14e-03 


10 


6.36e+06 


1.35e+04 


3.78e-03 


O.OOe+00 


l.OOe-02 


6.43e-03 


11 


2.54e+07 


4.56e+04 


3.26e-03 


O.OOe+00 


l.OOe-02 


6.10e-03 


MILP3 


b 


Num 


Tot 


Avg 


Min 


Max 


DevStd 


8 


2.31e+05 


2.10e+02 


9.10e-04 


O.OOe+00 


l.OOe-02 


3.20e-03 


9 


9.21e+05 


8.44e+02 


9.16e-04 


O.OOe+00 


l.OOe-02 


3.18e-03 


10 


3.68e+06 


l.lle+04 


3.00e-03 


O.OOe+00 


2.00e-02 


4.26e-03 


11 


1.47e+07 


3.76e+04 


2.55e-03 


O.OOe+00 


2.00e-02 


4.02e-03 


MILP^ 




b 


Num 


Tot 


Avg 


Min 


Max 


DevStd 


8 


7.80e+05 


7.71e+02 


9.89e-04 


O.OOe+00 


l.OOe-02 


2.98e-03 


9 


4.42e+06 


4.49e+03 


1.02e-03 


O.OOe+00 


l.OOe-02 


3.02e-03 


10 


3.01e+07 


7.75e+04 


2.58e-03 


O.OOe+00 


2.00e-02 


4.37e-03 


11 


2.61e+08 


5.66e+05 


2.17e-03 


O.OOe+00 


2.00e-02 


4.13e-03 


MILP5 


b 


Num 


Tot 


Avg 


Min 


Max 


DevStd 


8 


4.27e+05 


1.20e+02 


2.80e-04 


O.OOe+00 


l.OOe-02 


1.65e-03 


9 


1.71e+06 


4.87e+02 


2.85e-04 


O.OOe+00 


l.OOe-02 


1.66e-03 


10 


6.84e+06 


1.25e+04 


1.83e-03 


O.OOe+00 


2.00e-02 


3.87e-03 


11 


2.74e+07 


4.25e+04 


1.55e-03 


O.OOe+00 


2.00e-02 


3.62e-03 
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C.1.1 OBDD Representation for Boolean Functions 

A Binary Decision Diagram (BDD) i? is a rooted directed acyclic graph 
(DAG) with the following properties. Each R node v is labeled either with a 
boolean variable var(i;) (internal node) or with a boolean constant val(i;) G B 
(terminal node). Each R internal node v has exactly two children, labeled 
with high(f) and low(t;). Let Xi,...,Xn be the boolean variables labeling 
R internal nodes. Each terminal node v represents fvix) = val(w). Each 
internal node v represents fv{x) = Xj/high(t;)(a;) + Xifiow{v){x), being Xi = 
var(f ). An Ordered BDD (OBDD) is a BDD where, on each path from the 
root to a terminal node, the variables labeling each internal node must follow 
the same ordering. 

C.2 OBDDs with Complemented Edges 

In this section we introduce OBDDs with complemented edges (COBDDs, 
Def. [T^ . which were first presented in the 90's. Intuitively, they are OBDDs 
where else edges (i.e. edges of type [v, low{v))) may be complemented. Then 
edges (i.e. edges of type {v,high{v))) complementation is not allowed to 
retain canonicity. Edge complementation usually reduce resources usage, 
both in terms of CPU and memory. 

Definition 15. An OBDD with complemented edges (COBDD in the follow- 
ing) is a tuple p = (V, V , 1, var, low, high, flip) with the following properties: 
i)V = {xi, . . . , Xn} is a finite set 0/ ordered boolean variables; ii) V is a finite 
set of nodes; Hi) 1 & V is the terminal node of p, corresponding to the boolean 
constant 1 (non-terminal nodes are called internal^; iv) for each internal node 
V, var(t') < var(high(w)) andvai{v) < var(low(t;)); v) var, low, high, flip are 
functions defined on internal nodes, namely: var : V^ \ {1} — t- V assigns to 
each internal node a boolean variable in V, high[low] : V"\{1} — )■ V assigns to 
each internal node v a high child /low child/ (or true child /else child/j, repre- 
senting the case in whichwax{y) = 1 /var(t') = 0/, flip : y\{l} — > B assigns to 
each internal node v a boolean value; namely, z/flip(f ) = 1 then the else child 
has to be complemented, otherwise it is regular (i.e. non- complemented) . 

COBDDs associated multigraphs We associate to a COBDD p = (V, 

V, 1, var, low, high, flip) a labeled directed multigraph G'-''-* = {V, E) s.t. V 
is the same set of nodes of p and there is an edge {v, w) E E iS w is a. child 
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of V. Moreover, each edge e G £" has a type type(e), indicating if e is a then, 
a regular else, or a complemented else edge. Fig. [TT] shows an example of 
a COBDD depicted via its associated multigraph, where edges are directed 
downwards. Moreover, in Fig. [TT]then edges are solid lines, regular else edges 
are dashed lines and complemented else edges are dotted lines. 

The graph associated to a given COBDD p = (V, V, 1, var, low, high, 
flip) may be seen as a forest with multiple rooted multigraphs. In order to 
select one root vertex and thus one rooted multigraph, we define the COBDD 
restricted to v & V as the COBDD p^ = (V, V^, 1, var, low, high, flip) s.t. 
Vv = {w E V \ there exists a path from f to u; in G^^^} (note that v G Vy). 

Reduced COBDDs Two COBDDs are isomorphic iff there exists a map- 
ping from nodes to nodes preserving attributes var, flip, high and low. A 
COBDD is called reduced iff it contains no vertex v with low(f ) = high(t') A 
fiip(f ) = 0, nor does it contains distinct vertices v and v' such that p„ and 
Pt,/ are isomorphic. Note that, differently from OBDDs, it is possible that 
high(t') = low(t;) for some v E V, provided that flip(i;) = 1 (e.g. see nodes 
Oxf and Oxe in Fig. [TT]) . In the following, we assume all our COBDDs to be 
reduced. 

COBDDs Properties For a given COBDD p = (V, V, 1, var, low, high, 
flip) the following properties follow from definitions given above: i) G^'^-* is 
a rooted directed acyclic (multi)graph (DAG); ii) each path in G^^^ starting 
from an internal node ends in 1; iii) let Vi, . . . ,Vk be a path in G^p\ then 
var{vi) < . . . < var{vk)- 

C.2.1 Semantics of a COBDD 

In Def. [16] we define the semantics |-] of each node w of a given COBDD p as 
the boolean function represented by v, given the parity h of complemented 
edges seen on the path from a root to v. 

Definition 16. Let p = (V, V, 1, var, low, high, flip) be a COBDD. The 
semantics of the terminal node 1 w.r.t. a flipping bit b is a boolean function 
defined as |1, bjp := b. The semantics of an internal node v E V w.r.t. 
a flipping bit b is a boolean function defined as |t',6]p := Xj|high(t;), 6]p + 
Xj|low(i;), 6 © flip(t;)]p, being Xi = var(i;). When p is understood, we will 
write |-| instead o/|-|p. 
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Example 15. Let p be the COBDD depicted in Fig. [77]. // we pick node Oxe 

we have |Oxe, bj = a;2|l, bj + X2II, 6 © 1] = X26 + X2b = X2®b. 

Theor. [TSlstates that COBDDs are a canonica/ representation for boolean 
functions. 

Theorem 16. Let f : M"' ^^ M be a boolean function. Then there exist a 
COBDD p = (y, V , 1, var, low, high, flip), a node v ^ V and a flipping bit 
6 G B s.t. lv,bj = f{x). Moreover, let p = (V, V, 1, var, low, high, flip) 
be a COBDD, let fi,f2 & V be nodes and 61,62 G B 6e flipping bits. Then 
{vi, bij = |t;2, 62I ifl'vi = v2Abi = 62- 

D Synthesis of C Code from a COBDD 

Let H = (X, U, r, A^) be a DTLHS, Q = {A, T) be a quantization, H = 
(r{Ax), T{Au), N) be the close to minimum Q control abstraction computed 
by function iiiinCtrAbs and K : r{Ax) x r{Au) — t- B be the strong mgo 
for the LTS control problem (?^,J, G). As it is usual in Model Checking, 
we assume to have encoding functions encx '■ T{Ax) — )■ B" and encu '■ 
T{Au) -^ M'- s.t. n = E.gx(Llog2(7x(sup A,) - 7x(inf A,) + 1)J + 1) and 
^ = Y^ueui\}^S2ilu{snp Au) - 7„(inf yl„) + 1)J + 1). This allows us to regard 
the mgo i^ as a boolean function K{xi, . . . , x„, Mi, ... , Ur), by stipulating 
that K{x,u) = K{encx{x),encu{u))- 

Let p = (V, V, 1, var, low, high, flip) be a COBDD s.t. there exist 
V E V, b eM s.t. Iv, bJ = K{xi, . . . , x„, Ui, . . . , Ur). Thus, V = X \i\U = {xi, 
. . . , x„}U{mi, . . . , Ur} (we denote with U the disjoint union operator, thus 
XnU = 0). We will call boolean variables Xj G A" as (boolean) state variables 
and variables Uj G W as (boolean) action variables. 

D.l Synthesis Algorithm: Overview 

Our method Synthesize takes as input p, v and b s.t. |t',6] = K{x,u). 
Then, it returns as output a C function void K(int *x, int *u) with the 
following property: if, before a call to K, Vz x [z — 1] = Xj holds (array indexes 
in C language begin from 0) with x G Dom(A'), and after the call to K, Vi 
u[2 — 1]= Mj holds, then K{x,u) = 1. Moreover, the WCET of function K 
is 0{nr). 
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Note that our method Synthesize provides an effective implementation of 
the nigo K, i.e. a C function which takes as input the current state of the 
LTS and outputs the action to be taken. Thus, K is indeed a control software. 

Function Synthesize is organized in two phases. First, starting from p, v 
and b (thus from K{x, w)), we generate COBDD nodes Wi, . . . , tv and flipping 
bits bi, . . . ,br for boolean functions /i, . . . , /^ s.t. each /j = Ivi, bij takes as 
input the state bit vector x and computes the i-th bit Ui of an output action 
bit vector u, where K{x,u) = 1, provided that x G Dom.{K). This compu- 
tation is carried out in function SolveFunctionalEq. Second, fi, . . . , fr are 
translated inside function void K(int *x, int *u). This step is performed 
by maintaining the structure of the COBDD nodes representing fi, . . . , f^. 
This allows us to exploit COBDD node sharing in the generated software. 
This phase is performed by function GenerateCCode. 

Thus function Synthesize is organized as in Alg. [61 Correctness for func- 
tion Synthesize is stated in Theor. [T71 

Algorithm 6 Translating COBDDs to a C function 
Input: COBDD p, node v, boolean b 
function Synthesize {p,v,b): 

1. {vi, bi, . . . ,Vr, br) 4- SolveFunctionalEq{p, v, b) 

2. GenerateCCode{p, vi,bi, . . . , Vr, br) 



D.2 Synthesis Algorithm: Solving Functional Equation 

In this phase, starting from p, v and b (thus from |f , 6] = K{x, u)), we com- 
pute functions /i, . . . , /^ s.t. for all x G Dom(i^), K{x, fi{x), . . . , fr{x)) = 1. 
To this aim, we follow an approach similar to the one presented in |43| . 
Namely, we compute fi using /i,...,/j_i, in the following way: fi{x) = 
3Mi+i, ...,Un K{x, fi{x),..., fi-i{x), 1, Ui+i, . . . , u„). Thus, function Solve- 
FunctionalEq(p, v, b) computes and returns (wi, 6i, . . . , Vr, br) s.t. for all i G 
[r], h,6,] = /,(a;). 

D.3 Synthesis Algorithm: Generating C Code 

In this phase, starting from COBDD nodes Vi,...,Vr and flipping bits 
bi, . . . ,br for functions fi, . . . , fr generated in the first phase, we generate 
two C functions: i) void K(int *x, int *u), which is the required output 
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function for our method Synthesize; ii) int K_bits(int *x, int action), 
which is an auxihary function called by K. A call to K_bits(x, i) returns 
fi{x), being x[j — 1]= Xj for all j G [n]. This phase is detailed in Algs. [7] 
(function GenerateCCode) and [8] (function Translate). 

Given inputs p, Vi, bi, . . . , Vr, K (output by SolveFunctionalEq) , Algs. [7] 
and [H] work as follows. First, function int K_bits(int *x, int action) 
is generated. If x[j — 1]= Xj for all j G [n], the call K_bits(x, i) has to 
return fi{x). In order to do this, K_bits(x, i) traverses the graph G^'^'"i' by 
taking, in each node v, the then edge if x[j — 1] = 1 (with j s.t. vai^v) = Xj) 
and the else edge otherwise. When node 1 is reached, then 1 is returned iff 
the integer sum c + bi is even, being c the number of complemented else edges 
traversed. Parity of c + 6j is maintained by initializing a C variable ret_b to 
bi, then complementing ret_b when a complemented else edge is traversed, 
and finally returning ret_b. 

Thus, Algs. [7] and |8] generate K_bits in order to obtain the above de- 
scribed behavior. Namely, for all Vi output by the first phase (function Solve- 
FunctionalEq), GenerateCCode calls Translate with parameters p,Vi,W, 
where W maintains the set of nodes already translated in C code. This 
results, for all such Vi, in a recursive graph traversal of G^^^^^ where, for 
each internal node w ^ W which was not already translated, a C code block 
B = B1B2 is generated s.t. Bi is of the form L_w: if (x[j — 1]) goto 
L_h; (line [7| of Alg. |H]) and B2 has one of the following forms: i) else goto 
LJ; (if flip(w) = 0, line of Alg. [S]) or ii) else {ret_b = !ret_b; goto 
L_/;} (otherwise, line [8] of Alg. |8]). For the terminal node, the block L_l: 
return ret_b; is generated. Note that maintaining the set of already trans- 
lated nodes W allows us to fully exploit COBDDs nodes sharing. 

Algorithm Correctness Correctness of our approach, i.e. of function 
Synthesize in Alg. [6l is stated by Th. [T7] (for the proof, see |31]). 

Theorem 17. Let p = (V, V , 1, var, low, high, flip) be a COBDD with 
V = A'UW, V E V be a node, b E M be a boolean. Let |f , 6] = K{x,u). 
Then function Synthesize{p,v,b) generates a C function void K(int *x, 
int *u) with the following property: for all x G Dom(A'), if before a call to 
K Vi G [n] x[i — 1]= Xi, and after the call to K V? G [r] u[? — 1]= Ui, then 
K{x,u) = 1. Furthermore, function K has WCET 0{nr). 
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Algorithm 7 Generating C functions 



Input: COBDD p, t;i, . . . , t>,., boolean values bi, . . . ,br 
function GenerateCCode{p, Vi,bi, . . . , Vr, br)'- 

1. print "int K_bits(int *x, int action) { int ret_b; 
switch(action) -[" 

2. for all i E [r] do 

3. print "case ", z-1,": ret_b = ",&»,"; goto L_", Wj,";" 

4. print "}" /* end of the switch block */ 

6. for all do i G [r] W ^Translate{p,Vi,W) done 

7. print "} K(int *x, int *u){int i; for(i = 0; i < ", r, "; i++) 
u[i] = K_bits(x, i);}" 



Algorithm 8 COBDD nodes translation 



Input: COBDD p, node v, nodes set W 
function Translate{p,v,W): 

1. if V E W then return W 

2. W ^WU {v}, print "L_", v, " :" 

3. if t; = 1 then 

4. print "return ret_b;" 

5. else 

6. let i be s.t. var(w) = Xi 

7. print "if (x[",i- l,"]==l)goto L_", high(t;) 

8. if flip (t;) then print "else {ret_b=!ret_b; goto L_",low(f ),";}'' 

9. else print "else goto L_", low(t>) 

10. W ^Translate{p, high(w), W) 

11. W ^Translate{p, low(t;), W) 

12. return W 
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Figure 11: An ingo example 



An Example of Translation Consider the COBDD p shown in Fig. [TTl 
Within p, consider mgo K{xq, Xi, X2, Mq, ^1) = [0x17, 1]. By applying 
SolveFunctionalEq, we obtain /i(xo, Xi, X2) = |0xl5, 1] and f2{xo, Xi, X2) = 
|OxlO,l]. Note that Oxe is shared between ^(^o-is) and G(/'o-io). Finally, by 
calling GenerateCCode (see Alg. [7]) on /i, /2, we have the C code in Fig. | 



E A DTLHS Buck Model Robust on R and K 



In this section we address the problem of refining the model given in Sect. 13.11 
so as to require a controller for our buck to be robust to foreseen variations 
in the load R and in the power supply Vi. That is, given toplerances p^ and 
py. , we want the controller output by QKS for our buck to work for any R G 
[max{0,R{l~pn)},R{l+pR)] and any V^ G [max{0, 1/^(1 -pyj}, 1/^(1 + pyj]. 
Variations in the power supply are modeled by replacing Eq. ( fT2l) in 
Sect. I3.1l with the following: 



VD < Vu - Vi{l - pVi) (15) 



VD>Vu- Vi{l + PV,] 



(16) 



Along the same lines, we may model also variations in the load R. How- 
ever, since A^ dynamics is not linear in R, much more work is needed (along 
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int K_bits 


(int *x, int action) { int ret_b; 




switch ( act ion) { case 


0: ret_b = 0; 


goto L. 


_0xl5 ; 




case 


1: ret_b = 0; 


goto L. 


_OxlO; } 


L_0xl5 : 


if (x[0] == 1) 


goto L_0xl3; 








else { ret_b = 


! ret_b ; goto 


L_0xl4 


} 


L_0xl3 : 


if (x[l] == 1) 


goto L_Oxe ; 








else { ret_b = 


! ret_b ; goto 


L_l; } 




L_Oxe : 


if (x[2] == 1) 


goto L_l ; 








else { ret_b = 


! ret_b ; goto 


L_l; } 




L_0xl4: 


if (x[l] == 1) 
else goto L_l ; 


goto L_Oxe ; 






L_OxlO : 


if (x[0] == 1) 


goto L_Oxe ; 








else { ret_b = 


! ret_b ; goto 


L_Oxf ; 


} 


L_Oxf : 


if (x[l] == 1) 


goto L_Oxe ; 








else { ret_b = 


! ret_b ; goto 


L_Oxe; 


} 


L_l: ret 


urn ret_b ; } 








void K(int 


*x, int *u) { 


int i ; 






forCi = 


0; i < 2; i++) 


u[i] = K_bits(x, i) 


} 



Figure 12: C code for mgo in Fig. [TT]as generated by Synthesize 

the lines of [21]). To this aim, we proceed as follows. 

The only equation depending on R is Eq. (j4]) of Sect. 13.11 Consider con- 
stants a2,i(i?) = ^[-^ + h]^ a,,,{R) = ^['-f + ^l a,,,iR) = -i^ 
as (nonlinear) functions of R. It is easy to see that 02,1 (-R)j 02,2 (-R) are mono- 
tonically increasing functions for R G M"*", while a2,3(-R) is nionotonically de- 
creasing for R G M.^. Thus, if signs of iL,vo,VD are known, it is possible to 
replace Eq. (jl]) with two inequalities vq > Ta2A{Ri^^)'iL + {i+Ta2,2{Rvo))'^o + 
Ta2,3{R:^j,)vD and vq < Ta2,i{RiJiL + (1 + 7^02,2 (-R^))^^ + Ta2;3{RtD)^D, 
being 

• R- = iiw >0 then R{1 - pn) else i?(l + pn) and i?+ = if u; > 
then R{1 + pn) else _R(1 — pr) for w G {zl, vq}] 

• R~^ = if vd > then R{1 + pn) else R{1 - pn) and i?+^ = if t;/) > 
then i?(l — pr) else R{1 + pr). 

This leads us to replace Eq. (j4]) of Sect. I3.1l with the equations in Fig. [T3l 

Note that, w.r.t. the model in Sect. 13. H in Fig. [13] we add to Y^ 11 

auxiliary uooiean variauies ^.j^, z^^, Zv£)'> ^pppi ^pppi ^ppm ^ppni ^pnpi ^pnpi z-pnm 

Z-pnni ^nppi ^nppi ^npni ^npni ^nnpi ^nnpi ^nnni ^nnn WlXn ZllQ lOllOWlUg meaning. 

The boolean variable Zj^ [^vq^ ^vd] i^ ^^^^ i^ ^l [^o? ^d] is positive (see 
Eqs. ([IT]) and (^ [Eqs. ([fe]) and (J5I]), Eqs. (^ and (^^]). The boolean 
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Zi^ 


_^ 


iL > (17) Zi^ ^ iL<0 


(20) 


Zvo 


-)■ 


vo>0 (18) Zyo ^ vo<0 


(21) 


Zvo 


-^ 


VD>0 (19) Z^^ ^ VD<0 


(22) 


Zppp 


-)■ 


1-Zi, + 1-Z,^ + 1- z,^ > 1 


(23) 


^pnp 


— )> 


i Zij^ -\- Z^Q -\- i Zyj^ ^ i 


(24) 


Zppn 


— > 


i Zj^ + i ZyQ -\- Z^jj ^ i 


(25) 


Zpnn 


— )■ 


1 — ^ii + ^i>o + ^?^D ^ J- 


(26) 


Znpp 


-)■ 


2^4^ + i 2^Q + i Zi,j^ ^ i 


(27) 


Znnp 


-)■ 


^iL +Zvo+^- Z^^>1 


(28) 


^npn 


-)■ 


Zij^ + 1 — ZyQ + Zy^ > 1 


(29) 


Znnn 


-)■ 


^*L H~ ZyQ -\- Zyjj ^ i 


(30) 


Zppp 


-)■ 


v'o < Ta'il\L + (Tag) + l)vo + r4;^^t;D 


(31) 


Zppp 


-)■ 


^o > Ta^^i^L + (Tag + l)vo + T6g)i;z5 


(32) 


Zppn 


-)■ 


^ < Ta!il\L + {Ta^iP + l)tto + Tbifvo 


(33) 


Zppn 


-> 


v'o > Ta^Zi^L + {Ta!^^^ + l)t^o + Tb^^^vj, 


(34) 


Zpnp 


-> 


v'o < Tai't^L + (Ta^^^ + l)^o + Tfeg^z) 


(35) 


Zpnp 


-)■ 


v'o > TatiiL + (Tag) + l)vo + Tfeg^t;^ 


(36) 


Zpnn 


-)■ 


^'o < Tafl^L + (Tag) + l)vo + Tfeg^t;^ 


(37) 


Zpnn 


-> 


^o > Ta^^iU + (Tag) + l)i;o + T6gi;z) 


(38) 


Znpp 


-)■ 


^^o < ^«2?^i + (^ag) + l)t;o + T6gi;z, 


(39) 


Znpp 


-)■ 


^ > Tag).i + (Tag) + l)vo + Tfeg)^;^ 


(40) 


Znpn 


-)■ 


v'o < Ta^^^l^L + (Tag) + l)vo + Tbi'l^vn 


(41) 


Znpn 


-)■ 


v'o > Ta^^l^L + (Tag) + l)vo + Tb'~:^^VD 


(42) 


Znnp 


-)■ 


v'o < Ta^Zi^L + (Tag + l)vo + Tb^^^vo 


(43) 


Znnp 


-)■ 


v'o > Tai'PzL + (Tag) + l)vo + Tbifvn 


(44) 


Znnn 


-)■ 


v'o < Ta^^S^L + (Tag) + l)vo + Tfeg^^;,, 


(45) 


Znnn 


-)■ 


v'o > Tag)^i + (Tag) + l)vo + Tb^Z^vn 


(46) 



Figure 13: DTLHS Buck Model Robust on R 
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variable Zabc, with a,b,c G {p,n}, is true iff (if a = p then ?l ^ else 
^L < 0) A (if 6 = p then vq > else t>o < 0) A (if c = p then f d > else 
t^D < 0). This is stated by Eqs. (I23l) - fl30|) . Boolean variables Zabc sue then 
used as guards for the inequalities replacing Eq. (^ as stated before. This is 
done in Eqs. fl3T]) - (H6|) . 

Finally, the transition relation A^ of "H is given by the conjunction of the 
constraints given above and the following explicit (safety) bounds: —4 < Zl < 
4 A -1 < t;o < 7 A -10^ < io < 10^ A -10^ < in < 10^ A -10^ < Vu < 10^. 



75 



